Sign in to follow this  
niallmcl

Need Help!

Recommended Posts

I need help. Jane helped me out before and everything was working great and then I opened an episode of lost I had downloaded and there now problems. I ran Adware SE and ran smartfraudfix in safe mode. My computer is now being so so slow!! I don’t know how to fix it. Any help would be great!!!

Share this post


Link to post
Share on other sites

A few basic things you can do..

 

1. Go to your control panel, add/remove programs, and see if you can find any programs that you did not install and you know are not part of your computers preinstalled software. If you do try and uninstall them.

2. Run a Anti Virus Scan and try to clean/delete anything on there. ( See below if you dont have an antivirus) If that resolves it do not continue on.

3. If you dont have any important *programs* that you installed AFTER getting this virus you can do a system restore. Note that word documents etc. will not be deleted.

 

To do this..

1.Go to start, all programs,accesories. system tools, system restore.

2. Click on restore my computer to an earlier time.

3. Click on a BOLDED date closest to the time before you got the virus.

4. Click ok/restore.

 

Note: I am assuming you are using windows XP. To undo this restoration if you see it did not help, repeat step one and click on undo my last restoration.

 

--------------------------------------------

 

If you do not have an antivirus please go to the following link to scan your computer with McAfee AntiVirus. I feel it does a better job.

 

http://us.mcafee.com/root/mfs/default.asp

 

If that doesnt help, please download a free antivirus in the following link.

 

http://www.download.com/AVG-Anti-Virus-Fre...tml?tag=lst-0-2

 

 

 

I hope I was able to help. {email address removed by LS CalamityJane}

Edited by LS CalamityJane

Share this post


Link to post
Share on other sites

You have too many programs starting up when your computer turns on. I'll try to help you configure those.

 

1. Please install CCleaner with the link I provided before.

2. Run the program, and go to the tab titled "tools".

3. On the left, click on startup.

4. Find programs you don’t want to startup and click delete entry.

 

Note: This does NOT delete the file just from the startup.

 

Another problem may be that your files are scattered around the registry rather than packed together so it takes longer for the computer to find those. I'll help you fix that too.

 

1. Go to start>all programs>accessories>system tools>Disk Defragmenter.

2. Click on your C: drive.

3. Click defragment.

 

Note this may take a while depending on how many files you have and how big your hard drive is. It may take up to 2 hours so please be patient. It may hang every now and then as well.

 

I hope I was able to help.

Share this post


Link to post
Share on other sites

Hi, Niall.

 

The next time you want to watch a program you downloaded, scan it first!

 

As you may end up back with Janie, I suggest you start here first with an Ad-Aware SE logfile and someone will be along to take a look at it. (Not all infections are cleaned with the SmitFraud fix. :) )

Share this post


Link to post
Share on other sites

I know i shouldn't.... here is my ad-aware log file...

 

Also i installed AVG virus protection

 

i keep getting this message>>>>>

 

While opening file: C:\System Volume Information\_restore{BCFD79B8-86E2-412D-8796-870B9B46DF3E}\RP280\A0226915.dll

 

Trojan horse Proxy.BFJ

 

When i press heal it keeps popping up...

 

Ad-Aware SE Build 1.06r1

Logfile Created on:13 July 2006 11:52:43

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R114 08.07.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):3 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

13-07-2006 11:52:43 - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\niall mclaughlin\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1844237615-1935655697-1708537768-1004\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 488

ThreadCreationTime : 13-07-2006 10:49:22

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 548

ThreadCreationTime : 13-07-2006 10:49:24

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 580

ThreadCreationTime : 13-07-2006 10:49:32

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 624

ThreadCreationTime : 13-07-2006 10:49:33

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 636

ThreadCreationTime : 13-07-2006 10:49:33

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 788

ThreadCreationTime : 13-07-2006 10:49:35

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 844

ThreadCreationTime : 13-07-2006 10:49:35

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 908

ThreadCreationTime : 13-07-2006 10:49:35

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 992

ThreadCreationTime : 13-07-2006 10:49:35

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1036

ThreadCreationTime : 13-07-2006 10:49:36

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1344

ThreadCreationTime : 13-07-2006 10:49:39

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:12 [avgamsvr.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1448

ThreadCreationTime : 13-07-2006 10:49:39

BasePriority : Normal

FileVersion : 7,1,0,365

ProductVersion : 7.1.0.365

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Alert Manager

InternalName : avgamsvr

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgamsvr.EXE

 

#:13 [avgupsvc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1468

ThreadCreationTime : 13-07-2006 10:49:40

BasePriority : Normal

FileVersion : 7,1,0,349

ProductVersion : 7.1.0.349

ProductName : AVG 7.0 Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Update Service

InternalName : avgupsvc

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgupdsvc.EXE

 

#:14 [wuauclt.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1248

ThreadCreationTime : 13-07-2006 10:50:36

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Automatic Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wuauclt.exe

 

#:15 [wmiprvse.exe]

FilePath : C:\WINDOWS\System32\wbem\

ProcessID : 1008

ThreadCreationTime : 13-07-2006 10:50:59

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : WMI

InternalName : Wmiprvse.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : Wmiprvse.exe

 

#:16 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 220

ThreadCreationTime : 13-07-2006 10:51:14

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:17 [s3hotkey.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 272

ThreadCreationTime : 13-07-2006 10:51:22

BasePriority : Normal

FileVersion : 1.0.0.4

ProductVersion : 1.0.0.4

ProductName : S3 Graphics, Inc. S3Hotkey

CompanyName : S3 Graphics, Inc.

FileDescription : S3Hotkey

InternalName : S3Hotkey

LegalCopyright : Copyright © 2001 by S3 Graphics, Inc.

OriginalFilename : S3Hotkey

 

#:18 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_06\bin\

ProcessID : 972

ThreadCreationTime : 13-07-2006 10:51:22

BasePriority : Normal

 

 

#:19 [cfd.exe]

FilePath : C:\Program Files\BroadJump\Client Foundation\

ProcessID : 1328

ThreadCreationTime : 13-07-2006 10:51:22

BasePriority : Normal

 

 

#:20 [motivesb.exe]

FilePath : C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\

ProcessID : 1392

ThreadCreationTime : 13-07-2006 10:51:22

BasePriority : Normal

FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000

ProductVersion : 5.6.7.asst_classic.smartbridge

ProductName : Motive System

CompanyName : Motive Communications, Inc.

FileDescription : ntl:home broadband medic alerts

InternalName : version

LegalCopyright : Copyright 1998-2003

OriginalFilename : version

 

#:21 [ituneshelper.exe]

FilePath : C:\Program Files\iTunes\

ProcessID : 1516

ThreadCreationTime : 13-07-2006 10:51:23

BasePriority : Normal

FileVersion : 6.0.4.2

ProductVersion : 6.0.4.2

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iTunesHelper Module

InternalName : iTunesHelper

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iTunesHelper.exe

 

#:22 [avgcc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1928

ThreadCreationTime : 13-07-2006 10:51:23

BasePriority : Normal

FileVersion : 7,1,0,381

ProductVersion : 7.1.0.381

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Control Center

InternalName : AvgCC

LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.

OriginalFilename : AvgCC.EXE

 

#:23 [msnmsgr.exe]

FilePath : C:\Program Files\MSN Messenger\

ProcessID : 1916

ThreadCreationTime : 13-07-2006 10:51:23

BasePriority : Normal

FileVersion : 7.5.0324

ProductVersion : 7.5.0324

ProductName : MSN Messenger

CompanyName : Microsoft Corporation

FileDescription : MSN Messenger

InternalName : msnmsgr

LegalCopyright : Copyright © Microsoft Corporation 1997-2004

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

OriginalFilename : msnmsgr.exe

 

#:24 [13090212.exe]

FilePath : C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\

ProcessID : 1972

ThreadCreationTime : 13-07-2006 10:51:24

BasePriority : Normal

 

 

#:25 [ipodservice.exe]

FilePath : C:\Program Files\iPod\bin\

ProcessID : 448

ThreadCreationTime : 13-07-2006 10:51:25

BasePriority : Normal

FileVersion : 6.0.4.2

ProductVersion : 6.0.4.2

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iPodService Module

InternalName : iPodService

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iPodService.exe

 

#:26 [wkcalrem.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\

ProcessID : 1128

ThreadCreationTime : 13-07-2006 10:51:29

BasePriority : Normal

FileVersion : 6.00.1828.1

ProductVersion : 6.00.1828.1

ProductName : Microsoft® Works 6.0

CompanyName : Microsoft® Corporation

FileDescription : Microsoft® Works Calendar Reminder Service

InternalName : WkCalRem

LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.

OriginalFilename : WKCALREM.EXE

 

#:27 [windowssearch.exe]

FilePath : C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\

ProcessID : 1428

ThreadCreationTime : 13-07-2006 10:51:30

BasePriority : Normal

FileVersion : 02.05.0001.1119

ProductVersion : 02.05.0001.1119

ProductName : MSN Search Toolbar

CompanyName : Microsoft Corporation

FileDescription : Windows Desktop Search Tool Tray Admin

InternalName : WindowsSearch.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WindowsSearch.exe

 

#:28 [windowssearchindexer.exe]

FilePath : C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\

ProcessID : 2520

ThreadCreationTime : 13-07-2006 10:51:44

BasePriority : Normal

FileVersion : 2.5.1.1119

ProductVersion : 2.5.1.1119

ProductName : Windows Desktop Search

CompanyName : Microsoft Corporation

FileDescription : Windows Desktop Search executable

InternalName : windowssearchindexer.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : windowssearchindexer.exe

Comments : Windows Desktop Search executable

 

#:29 [mpbtn.exe]

FilePath : C:\Program Files\ntl\broadband medic\bin\

ProcessID : 2652

ThreadCreationTime : 13-07-2006 10:51:50

BasePriority : Normal

 

 

#:30 [mpbtn.exe]

FilePath : C:\Program Files\BT Broadband Basic Help\bin\

ProcessID : 2664

ThreadCreationTime : 13-07-2006 10:51:50

BasePriority : Normal

 

 

#:31 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2980

ThreadCreationTime : 13-07-2006 10:52:01

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

33 entries scanned.

New critical objects:0

Objects found so far: 3

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 3

 

12:10:47 Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:18:04.880

Objects scanned:139786

Objects identified:0

Objects ignored:0

New critical objects:0

Share this post


Link to post
Share on other sites

Hi Niall,

 

What AVG is seeing is a backup in your System Restore (which can't infect you at the moment) and we'll be clearing all those out AFTER your PC is cleaned up. For now, just ignore those alerts if they are in System Volume Information directory (AVG can't clean it in there either, it's protected by Windows from 3rd party apps)

 

We are going to need a HijackThis log

Instructions on creating a HijackThis Log

http://www.lavasoftsupport.com/index.php?showtopic=216

 

I also see something suspect in your Adaware log. I need to examine the file a little closer to see what it is

 

Go here to upload the file as an attachment

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from Niall at LS ),

fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

 

File to upload:

 

C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, once I determine what it is.

 

After uploading file, please post a HijackThis log for me to review

Share this post


Link to post
Share on other sites

Here is my hijackthis log

 

Logfile of HijackThis v1.99.1

Scan saved at 15:35:44, on 13/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe

C:\DOCUME~1\NIALLM~1\LOCALS~1\Temp\7252\607112.exe

C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [13090212.exe] C:\WINDOWS\system32\13090212.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [13090212.exe] C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

O20 - Winlogon Notify: ddirectz - ddirectz.dll (file missing)

O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: TmzbxY - {AC610320-06CB-A98A-1E5A-D0409FC68462} - C:\WINDOWS\system32\xk.dll (file missing)

O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

Thanks for upload the file Niall. It is a downloader trojan.

 

There are 3 more files showing on this log that I need to take a look at as well.

 

Upload the files here as you did before:

http://www.thespykiller.co.uk/forum/index.php?topic=2094

 

Use the "Reply" button: then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

 

Files to upload:

 

c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

 

C:\WINDOWS\system32\2236_27.dll

 

I will be able to collect them from there, but will reply to you back here with removal steps to take after I've had a chance to examine them

Share this post


Link to post
Share on other sites

I posted those files.

 

Quick question: What do i do if i want to open something i have downloaded from say limewire for example. How do i know they are not infected? or how do i check them?

Share this post


Link to post
Share on other sites

Any files you download you should scan with a good up to date AV (like AVg you have board there), however, be aware that many of those files that you download at Limewire may likely contain new, undetected nasties.

 

It would be much more effective to scan any file you download at one (preferably both) of the following:

 

Virus Total

http://www.virustotal.com/

 

or here:

 

Jotti Malware Scan

http://virusscan.jotti.org/

 

Those sites scan a single file with more than a dozen AVs to get a better detection.

 

There is a limitation on file size however.

 

10 mb at Virus Total and 15, I think, at Jotti

 

This other file I got from you is somekind of backdoor trojan, not detected by very many. I'll have to write up some steps for you to remove all of them. I'll do that next.

Share this post


Link to post
Share on other sites

Please copy these instructions to have handy because the later steps will have to be done in SAFE MODE and disconnected from the internet so you won't be able to view this window. Please review the whole process before starting so you can understand what we will be doing.

 

1. Please download the Killbox by Option^Explicit.

http://www.downloads.subratam.org/KillBox.zip

 

Unzip/Extract the contents to your desktop

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

(we'll use it later in SAFE MODE)

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open HijackThis and choose *system scan only*

When it finishes, checkmark the following listed entries in the list and then press the *fix checked* button

 

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKLM\..\Run: [13090212.exe] C:\WINDOWS\system32\13090212.exe

 

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

O4 - HKCU\..\Run: [13090212.exe] C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

 

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

 

O20 - Winlogon Notify: ddirectz - ddirectz.dll (file missing)

 

O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

 

O21 - SSODL: TmzbxY - {AC610320-06CB-A98A-1E5A-D0409FC68462} - C:\WINDOWS\system32\xk.dll (file missing)

 

O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll

 

4. Open Killbox by clicking on Killbox.exe

 

5. Select *Delete on Reboot* in the first column

 

DeleteOnReboot.gif

 

6. Press the *All Files* button IMPORTANT STEP!

 

AllFilesButton.gif

 

7. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

 

c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

C:\WINDOWS\system32\13090212.exe

C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

C:\WINDOWS\system32\xk.dll (file missing)

C:\WINDOWS\system32\2236_27.dll

 

8. In Killbox, select the "File" tab at the top

 

9. Choose "Paste from Clipboard" in the drop down menu

 

10. Press the red button with the white x in it.

 

11. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

Choose Yes when asked if you want to reboot. If your computer does not restart, please reboot it manually

 

 

Note: Backups will be stored in the following directory created on the Hard-drive (usually C):

C:\!KillBox

 

12. Navigate to the Killbox backup folder:

C:\!KillBox

 

a. Right–click folder !KillBox

 

b. Point to Send To

 

c. Then click Compressed (zipped) Folder

 

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.

C:\!KillBox.zip

 

13. Now I want you to assign a password of: infected

to the compressed file you just made:

1. Double-click the compressed folder that you want to password protect.

2. On the File menu, click Add a Password.

3. In the Password box, type the password that you want to use: infected

. Type the same password in the Confirm Password box, and then click OK.

Note that when you attempt to move or open a password-protected file, a Password Needed dialog box appears. Type the correct password in the Password box, and then click OK.

 

14. Go here to upload the file as an attachment as you did before

http://www.thespykiller.co.uk/forum/index.php?topic=2094

Press reply, browse to the !KillBox.zip file and then press the *post* button to upload it.

 

15. Ok, now please scan and post a fresh HijackThis log. There may be more to do

Share this post


Link to post
Share on other sites

OK I did everthing you said. I posted the zip file on the other forum for you.

 

Here is a new hjackthis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 22:31:51, on 13/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

Very odd! It seems to have gotten all but one, however, neither the new files were in the folder nor the log reflects any action by killbox. We'll try a different tool.

 

1. Please download The Avenger by Swandog46 to your Desktop.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy the bold black text below to your Clipboard by highlighting it and pressing (Ctrl+C):

 

Files to delete:

c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log

Share this post


Link to post
Share on other sites

OK when I put file in and press the green light, after the first YES i get these boxes

 

First

>>>>>>>>>>>>

 

Error: Selected file does not appear to be valid script.

 

Then

 

Press ok to log error and continue or cancel to abort

 

Then

 

error code 0

Share this post


Link to post
Share on other sites

And you entered these two lines in the script box right?

 

Files to delete:

c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

 

It could be there is a problem with the file name.

 

Could you get me a log from this tool please:

(Note: run this tool in normal mode)

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

 

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

 

3. When finished, it shall produce a log for you. Post that log in your next reply

Share this post


Link to post
Share on other sites

Here is the Avenger

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\fbwouelj

 

*******************

 

Script file located at: \??\C:\qmuvnfho.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

File c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe not found!

Deletion of file c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe failed!

 

Could not process line:

c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

Status: 0xc0000034

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

Share this post


Link to post
Share on other sites

Here is HJT Log

 

Logfile of HijackThis v1.99.1

Scan saved at 00:32:42, on 14/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

Share this post


Link to post
Share on other sites
Do you still want me to do the Other step?

Not right now. Let's see if the Avenger will work using both lines as I posted up there

Share this post


Link to post
Share on other sites
Sign in to follow this