niallmcl 0 Report post Posted July 10, 2006 I need help. Jane helped me out before and everything was working great and then I opened an episode of lost I had downloaded and there now problems. I ran Adware SE and ran smartfraudfix in safe mode. My computer is now being so so slow!! I don’t know how to fix it. Any help would be great!!! Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 11, 2006 Can anyone help? Share this post Link to post Share on other sites
sirnarekg 0 Report post Posted July 12, 2006 (edited) A few basic things you can do.. 1. Go to your control panel, add/remove programs, and see if you can find any programs that you did not install and you know are not part of your computers preinstalled software. If you do try and uninstall them. 2. Run a Anti Virus Scan and try to clean/delete anything on there. ( See below if you dont have an antivirus) If that resolves it do not continue on. 3. If you dont have any important *programs* that you installed AFTER getting this virus you can do a system restore. Note that word documents etc. will not be deleted. To do this.. 1.Go to start, all programs,accesories. system tools, system restore. 2. Click on restore my computer to an earlier time. 3. Click on a BOLDED date closest to the time before you got the virus. 4. Click ok/restore. Note: I am assuming you are using windows XP. To undo this restoration if you see it did not help, repeat step one and click on undo my last restoration. -------------------------------------------- If you do not have an antivirus please go to the following link to scan your computer with McAfee AntiVirus. I feel it does a better job. http://us.mcafee.com/root/mfs/default.asp If that doesnt help, please download a free antivirus in the following link. http://www.download.com/AVG-Anti-Virus-Fre...tml?tag=lst-0-2 I hope I was able to help. {email address removed by LS CalamityJane} Edited July 18, 2006 by LS CalamityJane Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 12, 2006 That didnt Help, thanks for your effort. Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 12, 2006 The Main problem is that my start up and shut down have been taking sooooo long!! Share this post Link to post Share on other sites
sirnarekg 0 Report post Posted July 12, 2006 You have too many programs starting up when your computer turns on. I'll try to help you configure those. 1. Please install CCleaner with the link I provided before. 2. Run the program, and go to the tab titled "tools". 3. On the left, click on startup. 4. Find programs you don’t want to startup and click delete entry. Note: This does NOT delete the file just from the startup. Another problem may be that your files are scattered around the registry rather than packed together so it takes longer for the computer to find those. I'll help you fix that too. 1. Go to start>all programs>accessories>system tools>Disk Defragmenter. 2. Click on your C: drive. 3. Click defragment. Note this may take a while depending on how many files you have and how big your hard drive is. It may take up to 2 hours so please be patient. It may hang every now and then as well. I hope I was able to help. Share this post Link to post Share on other sites
Corrine 0 Report post Posted July 13, 2006 Hi, Niall. The next time you want to watch a program you downloaded, scan it first! As you may end up back with Janie, I suggest you start here first with an Ad-Aware SE logfile and someone will be along to take a look at it. (Not all infections are cleaned with the SmitFraud fix. ) Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 I know i shouldn't.... here is my ad-aware log file... Also i installed AVG virus protection i keep getting this message>>>>> While opening file: C:\System Volume Information\_restore{BCFD79B8-86E2-412D-8796-870B9B46DF3E}\RP280\A0226915.dll Trojan horse Proxy.BFJ When i press heal it keeps popping up... Ad-Aware SE Build 1.06r1 Logfile Created on:13 July 2006 11:52:43 Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R114 08.07.2006 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» MRU List(TAC index:0):3 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 13-07-2006 11:52:43 - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Documents and Settings\niall mclaughlin\recent Description : list of recently opened documents MRU List Object Recognized! Location: : software\microsoft\directdraw\mostrecentapplication Description : most recent application to use microsoft directdraw MRU List Object Recognized! Location: : S-1-5-21-1844237615-1935655697-1708537768-1004\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 488 ThreadCreationTime : 13-07-2006 10:49:22 BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 548 ThreadCreationTime : 13-07-2006 10:49:24 BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 580 ThreadCreationTime : 13-07-2006 10:49:32 BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 624 ThreadCreationTime : 13-07-2006 10:49:33 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 636 ThreadCreationTime : 13-07-2006 10:49:33 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 788 ThreadCreationTime : 13-07-2006 10:49:35 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 844 ThreadCreationTime : 13-07-2006 10:49:35 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 908 ThreadCreationTime : 13-07-2006 10:49:35 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 992 ThreadCreationTime : 13-07-2006 10:49:35 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1036 ThreadCreationTime : 13-07-2006 10:49:36 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:11 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1344 ThreadCreationTime : 13-07-2006 10:49:39 BasePriority : Normal FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) ProductVersion : 5.1.2600.2696 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:12 [avgamsvr.exe] FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\ ProcessID : 1448 ThreadCreationTime : 13-07-2006 10:49:39 BasePriority : Normal FileVersion : 7,1,0,365 ProductVersion : 7.1.0.365 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Alert Manager InternalName : avgamsvr LegalCopyright : Copyright © 2005, GRISOFT, s.r.o. OriginalFilename : avgamsvr.EXE #:13 [avgupsvc.exe] FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\ ProcessID : 1468 ThreadCreationTime : 13-07-2006 10:49:40 BasePriority : Normal FileVersion : 7,1,0,349 ProductVersion : 7.1.0.349 ProductName : AVG 7.0 Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Update Service InternalName : avgupsvc LegalCopyright : Copyright © 2005, GRISOFT, s.r.o. OriginalFilename : avgupdsvc.EXE #:14 [wuauclt.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1248 ThreadCreationTime : 13-07-2006 10:50:36 BasePriority : Normal FileVersion : 5.8.0.2469 built by: lab01_n(wmbla) ProductVersion : 5.8.0.2469 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Automatic Updates InternalName : wuauclt.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : wuauclt.exe #:15 [wmiprvse.exe] FilePath : C:\WINDOWS\System32\wbem\ ProcessID : 1008 ThreadCreationTime : 13-07-2006 10:50:59 BasePriority : Normal FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 5.1.2600.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : WMI InternalName : Wmiprvse.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : Wmiprvse.exe #:16 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 220 ThreadCreationTime : 13-07-2006 10:51:14 BasePriority : Normal FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ProductVersion : 6.00.2900.2180 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE #:17 [s3hotkey.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 272 ThreadCreationTime : 13-07-2006 10:51:22 BasePriority : Normal FileVersion : 1.0.0.4 ProductVersion : 1.0.0.4 ProductName : S3 Graphics, Inc. S3Hotkey CompanyName : S3 Graphics, Inc. FileDescription : S3Hotkey InternalName : S3Hotkey LegalCopyright : Copyright © 2001 by S3 Graphics, Inc. OriginalFilename : S3Hotkey #:18 [jusched.exe] FilePath : C:\Program Files\Java\jre1.5.0_06\bin\ ProcessID : 972 ThreadCreationTime : 13-07-2006 10:51:22 BasePriority : Normal #:19 [cfd.exe] FilePath : C:\Program Files\BroadJump\Client Foundation\ ProcessID : 1328 ThreadCreationTime : 13-07-2006 10:51:22 BasePriority : Normal #:20 [motivesb.exe] FilePath : C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\ ProcessID : 1392 ThreadCreationTime : 13-07-2006 10:51:22 BasePriority : Normal FileVersion : 5.6.7.asst_classic.smartbridge.20031210_035000 ProductVersion : 5.6.7.asst_classic.smartbridge ProductName : Motive System CompanyName : Motive Communications, Inc. FileDescription : ntl:home broadband medic alerts InternalName : version LegalCopyright : Copyright 1998-2003 OriginalFilename : version #:21 [ituneshelper.exe] FilePath : C:\Program Files\iTunes\ ProcessID : 1516 ThreadCreationTime : 13-07-2006 10:51:23 BasePriority : Normal FileVersion : 6.0.4.2 ProductVersion : 6.0.4.2 ProductName : iTunes CompanyName : Apple Computer, Inc. FileDescription : iTunesHelper Module InternalName : iTunesHelper LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved. OriginalFilename : iTunesHelper.exe #:22 [avgcc.exe] FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\ ProcessID : 1928 ThreadCreationTime : 13-07-2006 10:51:23 BasePriority : Normal FileVersion : 7,1,0,381 ProductVersion : 7.1.0.381 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Control Center InternalName : AvgCC LegalCopyright : Copyright © 2006, GRISOFT, s.r.o. OriginalFilename : AvgCC.EXE #:23 [msnmsgr.exe] FilePath : C:\Program Files\MSN Messenger\ ProcessID : 1916 ThreadCreationTime : 13-07-2006 10:51:23 BasePriority : Normal FileVersion : 7.5.0324 ProductVersion : 7.5.0324 ProductName : MSN Messenger CompanyName : Microsoft Corporation FileDescription : MSN Messenger InternalName : msnmsgr LegalCopyright : Copyright © Microsoft Corporation 1997-2004 LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries. OriginalFilename : msnmsgr.exe #:24 [13090212.exe] FilePath : C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\ ProcessID : 1972 ThreadCreationTime : 13-07-2006 10:51:24 BasePriority : Normal #:25 [ipodservice.exe] FilePath : C:\Program Files\iPod\bin\ ProcessID : 448 ThreadCreationTime : 13-07-2006 10:51:25 BasePriority : Normal FileVersion : 6.0.4.2 ProductVersion : 6.0.4.2 ProductName : iTunes CompanyName : Apple Computer, Inc. FileDescription : iPodService Module InternalName : iPodService LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved. OriginalFilename : iPodService.exe #:26 [wkcalrem.exe] FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\ ProcessID : 1128 ThreadCreationTime : 13-07-2006 10:51:29 BasePriority : Normal FileVersion : 6.00.1828.1 ProductVersion : 6.00.1828.1 ProductName : Microsoft® Works 6.0 CompanyName : Microsoft® Corporation FileDescription : Microsoft® Works Calendar Reminder Service InternalName : WkCalRem LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved. OriginalFilename : WKCALREM.EXE #:27 [windowssearch.exe] FilePath : C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\ ProcessID : 1428 ThreadCreationTime : 13-07-2006 10:51:30 BasePriority : Normal FileVersion : 02.05.0001.1119 ProductVersion : 02.05.0001.1119 ProductName : MSN Search Toolbar CompanyName : Microsoft Corporation FileDescription : Windows Desktop Search Tool Tray Admin InternalName : WindowsSearch.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : WindowsSearch.exe #:28 [windowssearchindexer.exe] FilePath : C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\ ProcessID : 2520 ThreadCreationTime : 13-07-2006 10:51:44 BasePriority : Normal FileVersion : 2.5.1.1119 ProductVersion : 2.5.1.1119 ProductName : Windows Desktop Search CompanyName : Microsoft Corporation FileDescription : Windows Desktop Search executable InternalName : windowssearchindexer.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : windowssearchindexer.exe Comments : Windows Desktop Search executable #:29 [mpbtn.exe] FilePath : C:\Program Files\ntl\broadband medic\bin\ ProcessID : 2652 ThreadCreationTime : 13-07-2006 10:51:50 BasePriority : Normal #:30 [mpbtn.exe] FilePath : C:\Program Files\BT Broadband Basic Help\bin\ ProcessID : 2664 ThreadCreationTime : 13-07-2006 10:51:50 BasePriority : Normal #:31 [ad-aware.exe] FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\ ProcessID : 2980 ThreadCreationTime : 13-07-2006 10:52:01 BasePriority : Normal FileVersion : 6.2.0.236 ProductVersion : SE 106 ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft AB Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 3 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 3 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 3 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 3 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 3 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 33 entries scanned. New critical objects:0 Objects found so far: 3 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 3 12:10:47 Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:18:04.880 Objects scanned:139786 Objects identified:0 Objects ignored:0 New critical objects:0 Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 Hi Niall, What AVG is seeing is a backup in your System Restore (which can't infect you at the moment) and we'll be clearing all those out AFTER your PC is cleaned up. For now, just ignore those alerts if they are in System Volume Information directory (AVG can't clean it in there either, it's protected by Windows from 3rd party apps) We are going to need a HijackThis log Instructions on creating a HijackThis Log http://www.lavasoftsupport.com/index.php?showtopic=216 I also see something suspect in your Adaware log. I need to examine the file a little closer to see what it is Go here to upload the file as an attachment http://www.thespykiller.co.uk/forum/index.php?board=1.0 Just press new topic (Make the subject: For CalamityJane from Niall at LS ), fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file File to upload: C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe (Do not post HJT logs there as they will not get dealt with) You DO NOT need to be a member to upload, anybody can upload the files You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, once I determine what it is. After uploading file, please post a HijackThis log for me to review Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 Here is my hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 15:35:44, on 13/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\S3hotkey.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe C:\DOCUME~1\NIALLM~1\LOCALS~1\Temp\7252\607112.exe C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKLM\..\Run: [13090212.exe] C:\WINDOWS\system32\13090212.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKCU\..\Run: [13090212.exe] C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll O20 - Winlogon Notify: ddirectz - ddirectz.dll (file missing) O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: TmzbxY - {AC610320-06CB-A98A-1E5A-D0409FC68462} - C:\WINDOWS\system32\xk.dll (file missing) O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 Thanks for upload the file Niall. It is a downloader trojan. There are 3 more files showing on this log that I need to take a look at as well. Upload the files here as you did before: http://www.thespykiller.co.uk/forum/index.php?topic=2094 Use the "Reply" button: then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files Files to upload: c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll C:\WINDOWS\system32\2236_27.dll I will be able to collect them from there, but will reply to you back here with removal steps to take after I've had a chance to examine them Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 I posted those files. Quick question: What do i do if i want to open something i have downloaded from say limewire for example. How do i know they are not infected? or how do i check them? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 Any files you download you should scan with a good up to date AV (like AVg you have board there), however, be aware that many of those files that you download at Limewire may likely contain new, undetected nasties. It would be much more effective to scan any file you download at one (preferably both) of the following: Virus Total http://www.virustotal.com/ or here: Jotti Malware Scan http://virusscan.jotti.org/ Those sites scan a single file with more than a dozen AVs to get a better detection. There is a limitation on file size however. 10 mb at Virus Total and 15, I think, at Jotti This other file I got from you is somekind of backdoor trojan, not detected by very many. I'll have to write up some steps for you to remove all of them. I'll do that next. Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 Please copy these instructions to have handy because the later steps will have to be done in SAFE MODE and disconnected from the internet so you won't be able to view this window. Please review the whole process before starting so you can understand what we will be doing. 1. Please download the Killbox by Option^Explicit. http://www.downloads.subratam.org/KillBox.zip Unzip/Extract the contents to your desktop How to extract (decompress) zipped or compressed files http://www.lvsonline.com/compresstut/index.shtml (we'll use it later in SAFE MODE) 2. Reboot into Safe Mode You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. How to start the computer in Safe mode http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam 3. Once in Safe mode, open HijackThis and choose *system scan only* When it finishes, checkmark the following listed entries in the list and then press the *fix checked* button O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKLM\..\Run: [13090212.exe] C:\WINDOWS\system32\13090212.exe O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKCU\..\Run: [13090212.exe] C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll O20 - Winlogon Notify: ddirectz - ddirectz.dll (file missing) O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing) O21 - SSODL: TmzbxY - {AC610320-06CB-A98A-1E5A-D0409FC68462} - C:\WINDOWS\system32\xk.dll (file missing) O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\2236_27.dll 4. Open Killbox by clicking on Killbox.exe 5. Select *Delete on Reboot* in the first column 6. Press the *All Files* button IMPORTANT STEP! 7. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe C:\WINDOWS\system32\13090212.exe C:\Documents and Settings\niall mclaughlin\Local Settings\Application Data\13090212.exe C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll C:\WINDOWS\system32\xk.dll (file missing) C:\WINDOWS\system32\2236_27.dll 8. In Killbox, select the "File" tab at the top 9. Choose "Paste from Clipboard" in the drop down menu 10. Press the red button with the white x in it. 11. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now? Choose Yes when asked if you want to reboot. If your computer does not restart, please reboot it manually Note: Backups will be stored in the following directory created on the Hard-drive (usually C): C:\!KillBox 12. Navigate to the Killbox backup folder: C:\!KillBox a. Right–click folder !KillBox b. Point to Send To c. Then click Compressed (zipped) Folder This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed. C:\!KillBox.zip 13. Now I want you to assign a password of: infected to the compressed file you just made: 1. Double-click the compressed folder that you want to password protect. 2. On the File menu, click Add a Password. 3. In the Password box, type the password that you want to use: infected . Type the same password in the Confirm Password box, and then click OK. Note that when you attempt to move or open a password-protected file, a Password Needed dialog box appears. Type the correct password in the Password box, and then click OK. 14. Go here to upload the file as an attachment as you did before http://www.thespykiller.co.uk/forum/index.php?topic=2094 Press reply, browse to the !KillBox.zip file and then press the *post* button to upload it. 15. Ok, now please scan and post a fresh HijackThis log. There may be more to do Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 OK I did everthing you said. I posted the zip file on the other forum for you. Here is a new hjackthis log: Logfile of HijackThis v1.99.1 Scan saved at 22:31:51, on 13/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\S3hotkey.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 It looks like from that log, the files I fixed are still there, is that a problem? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 Very odd! It seems to have gotten all but one, however, neither the new files were in the folder nor the log reflects any action by killbox. We'll try a different tool. 1. Please download The Avenger by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop 2. Copy the bold black text below to your Clipboard by highlighting it and pressing (Ctrl+C): Files to delete: c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following: It will Restart your computer. On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 OK when I put file in and press the green light, after the first YES i get these boxes First >>>>>>>>>>>> Error: Selected file does not appear to be valid script. Then Press ok to log error and continue or cancel to abort Then error code 0 Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 And you entered these two lines in the script box right? Files to delete: c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe It could be there is a problem with the file name. Could you get me a log from this tool please: (Note: run this tool in normal mode) 1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe 2. Double click on combofix.exe & follow the prompts. Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no) Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders) Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall. 3. When finished, it shall produce a log for you. Post that log in your next reply Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 OK i didnt put in the File to delete part in! i will do that now... sorry about that i thought i just need the file name. Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 Here is the Avenger Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\fbwouelj ******************* Script file located at: \??\C:\qmuvnfho.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe not found! Deletion of file c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe failed! Could not process line: c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 Here is HJT Log Logfile of HijackThis v1.99.1 Scan saved at 00:32:42, on 14/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\S3hotkey.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe C:\WINDOWS\system32\wuauclt.exe C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local> O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ Share this post Link to post Share on other sites
niallmcl 0 Report post Posted July 13, 2006 Do you still want me to do the Other step? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 Ok, that's it. Yes both lines need to be in there. You can try again please? Share this post Link to post Share on other sites
LS CalamityJane 13 Report post Posted July 13, 2006 Do you still want me to do the Other step? Not right now. Let's see if the Avenger will work using both lines as I posted up there Share this post Link to post Share on other sites