Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware removal, Outerinfo..Win32 not sure if i'm in too deep


  • Please log in to reply

#1
victoria_nichol

victoria_nichol

    New Member

  • Member
  • Pip
  • 2 posts
Hi there,

Yesterday I was notified of 3 Trojans then a bunch of adware started popping up. An outerinfo Icon popped up in my system tray and I've been having lots of problems since. I found this site, and saw a post stating the exact same thing that happened to me. So I did all of the things my computer would let me do. ATF cleaner,System Restore, AVG anti adware program, Super Anti spyware . Then rebooted after each step. I tried using the panda scanner but each time a win 32 bar at the bottom would pop up and wouldnt allow the scan to complete. My computer already has the SP2 pack, and I have avast antivirus which has lapsed, I thought about uninstalling it but wasn't sure if I could do that right. I have tried to follow the instructions as closely as possible.

I also realize that you are working for free, so any advice will be greatly appreciated. Hopefully I did everything right. I feel as though I may have screwed up here and there just let me know and I'll try to get it right. Here are the logs I read about posting in order to receive advice: oh and I tried to save the uninstall list from the hijacklog but each time I'd click "save list" nothing would happen.

With the AVG anti-adware no reports were available.

Thanks for taking the time to read this post.

Vicky









SUPERAntiSpyware Scan Log
Generated 06/21/2007 at 04:28 PM

Application Version : 3.6.1000

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 06:16:51

Memory items scanned : 453
Memory threats detected : 2
Registry items scanned : 7481
Registry threats detected : 167
File items scanned : 138107
File threats detected : 90

Trojan.Downloader-Gen/RetAd
C:\WINDOWS\RETADPU1000106.EXE
C:\WINDOWS\RETADPU1000106.EXE
[runner1] C:\WINDOWS\RETADPU1000106.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#runner1 [ C:\Windows\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 ]
C:\WINDOWS\RETADPU2000219.EXE
C:\Windows\Prefetch\RETADPU1000106.EXE-068BBDFD.pf

Trojan.ZenoSearch
C:\WINDOWS\SYSTEM32\OWINPNDT.EXE
C:\WINDOWS\SYSTEM32\OWINPNDT.EXE
C:\Windows\system32\msnav32.ax
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.RC18227\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\5CSZLLWX\DT[1].EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP589\A0318587.EXE
C:\Windows\Prefetch\OWINPNDT.EXE-37DD46C2.pf

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\Programmable
C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKU\S-1-5-21-4189721917-290644608-3456947449-500\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE

Adware.Accoona
HKLM\Software\Classes\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKCR\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKCR\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}
HKCR\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\InprocServer32
HKCR\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\InprocServer32#ThreadingModel
HKCR\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\ProgID
HKCR\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\TypeLib
HKCR\CLSID\{364B6276-C6C1-40B6-A6D7-6C48871FD707}\VersionIndependentProgID
C:\PROGRAM FILES\ACCOONA\ATOOLBAR.DLL
HKLM\Software\Classes\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\InprocServer32
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\InprocServer32#ThreadingModel
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\ProgID
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\Programmable
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\TypeLib
HKCR\CLSID\{944864A5-3916-46E2-96A9-A2E84F3F1208}\VersionIndependentProgID
C:\PROGRAM FILES\ACCOONA\ASEARCHASSIST.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864A5-3916-46E2-96A9-A2E84F3F1208}
C:\PROGRAM FILES\THEMEXP\THEMEXP.ORG FILE\ATOOLBAR400011.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GFQJDHXE.DLL
HKLM\Software\Classes\CLSID\{B1FD7898-8368-4076-A43D-6856ACAC9538}
HKCR\CLSID\{B1FD7898-8368-4076-A43D-6856ACAC9538}
HKCR\CLSID\{B1FD7898-8368-4076-A43D-6856ACAC9538}
HKCR\CLSID\{B1FD7898-8368-4076-A43D-6856ACAC9538}\InProcServer32
HKCR\CLSID\{B1FD7898-8368-4076-A43D-6856ACAC9538}\InProcServer32#ThreadingModel
C:\PROGRAM FILES\TYPINGMASTER\RYXYB83122.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1FD7898-8368-4076-A43D-6856ACAC9538}
HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

Trojan.HyperLinker/LinkMaker
HKLM\Software\Classes\CLSID\{85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1}
HKCR\CLSID\{85A77577-A8CA-41B7-AA1E-DDAD4C0B12B1}
HKCR\CLSID\{85A77577-A8CA-41B7-AA1E-DDAD4C0B12B1}
HKCR\CLSID\{85A77577-A8CA-41B7-AA1E-DDAD4C0B12B1}\InprocServer32
HKCR\CLSID\{85A77577-A8CA-41B7-AA1E-DDAD4C0B12B1}\InprocServer32#ThreadingModel
HKCR\CLSID\{85A77577-A8CA-41B7-AA1E-DDAD4C0B12B1}\ProgID
HKCR\CLSID\{85A77577-A8CA-41B7-AA1E-DDAD4C0B12B1}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\HLWIN.DLL

Adware.SearchClickAds
HKLM\Software\Classes\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}#AppID
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\InprocServer32
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\InprocServer32#ThreadingModel
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\ProgID
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\Programmable
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\TypeLib
HKCR\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}\VersionIndependentProgID
C:\WINDOWS\CFG32O.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F59898}
HKLM\SOFTWARE\zAbstract
HKLM\SOFTWARE\zAbstract#r
HKLM\SOFTWARE\zAbstract#App1
HKLM\SOFTWARE\zAbstract#App3
HKLM\SOFTWARE\zAbstract#App4
HKLM\SOFTWARE\zAbstract#App5
HKLM\SOFTWARE\zAbstract#Version
HKLM\SOFTWARE\zAbstract#BundleID
HKLM\SOFTWARE\zAbstract#Parent
HKLM\SOFTWARE\zAbstract#App2
HKLM\SOFTWARE\zAbstract#CList
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP589\A0318585.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP589\A0318586.DLL
C:\WINDOWS\CFG32A.EXE
C:\WINDOWS\CFG32R.DLL
C:\WINDOWS\CFG32S.DLL
C:\WINDOWS\STUB_MMA2.EXE
C:\Windows\Prefetch\CFG32A.EXE-1D5F6A5C.pf

Trojan.Downloader-Gen/BasicMath
HKLM\System\ControlSet001\Services\Net Agent
C:\WINDOWS\DLS0523PMW.EXE
HKLM\System\ControlSet002\Services\Net Agent
HKLM\System\CurrentControlSet\Services\Net Agent
C:\Windows\Prefetch\DLS0523PMW.EXE-034E73CF.pf

Adware.180solutions/Search Assistant
HKCR\MediaGatewayX.Installer
HKCR\MediaGatewayX.Installer\CLSID
HKCR\MediaGatewayX.Installer\CurVer
HKCR\MediaGatewayX.Installer.1
HKCR\MediaGatewayX.Installer.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaGatewayX.dll#{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll [  ]

Adware.180solutions/ZangoSearch
HKCR\Interface\{DD469A88-316C-441D-B712-783D9B9A6707}
HKCR\Interface\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid
HKCR\Interface\{DD469A88-316C-441D-B712-783D9B9A6707}\ProxyStubClsid32
HKCR\Interface\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib
HKCR\Interface\{DD469A88-316C-441D-B712-783D9B9A6707}\TypeLib#Version
HKCR\AppId\{D28CD14C-50BE-4CFA-951E-B37F25DA3472}
HKCR\TypeLib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5}
HKCR\TypeLib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5}\1.0
HKCR\TypeLib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5}\1.0\0
HKCR\TypeLib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5}\1.0\0\win32
HKCR\TypeLib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5}\1.0\FLAGS
HKCR\TypeLib\{981BDA1D-C8AD-46FF-BE2C-FDDD859AC6F5}\1.0\HELPDIR

Adware.WebHancer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey#UninstallString

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Trojan.Windows Overlay Components/SysMon
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#Type
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#Start
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Security
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Windows Overlay Components\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_OVERLAY_COMPONENTS\0000#DeviceDesc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallString
C:\Windows\offun.exe

Adware.HotBar/SpamBlockerUtility (Low Risk)
C:\Documents and Settings\Administrator.RC18227\Application Data\SpamBlocker
C:\Documents and Settings\Administrator.RC18227\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2\btntrans.idx
C:\Documents and Settings\Administrator.RC18227\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\2
C:\Documents and Settings\Administrator.RC18227\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static
C:\Documents and Settings\Administrator.RC18227\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility
C:\Documents and Settings\Administrator.RC18227\Application Data\SpamBlockerUtility\v3.0
C:\Documents and Settings\Administrator.RC18227\Application Data\SpamBlockerUtility
HKCR\SpamBlockerConfig.Application
HKCR\SpamBlockerConfig.Application\Clsid
HKCR\SpamBlockerConfig.Application.1
HKCR\SpamBlockerConfig.Application.1\Clsid
HKLM\Software\SpamBlockerUtility
HKLM\Software\SpamBlockerUtility\Hotbar
HKLM\Software\SpamBlockerUtility\Hotbar\Install
HKLM\Software\SpamBlockerUtility\Hotbar\Install#StartInstall
HKLM\Software\SpamBlockerUtility\SpamBlockerUtility
HKLM\Software\SpamBlockerUtility\SpamBlockerUtility\PI
HKLM\Software\SpamBlockerUtility\SpamBlockerUtility\PI\3.2
HKLM\Software\SpamBlockerUtility\SpamBlockerUtility\PI\3.2#PID00
HKLM\Software\SpamBlockerUtility\SpamBlockerUtility\Upgrade
HKLM\Software\SpamBlockerUtility\SpamBlockerUtility\Upgrade#LastChecked

Adware.BookedSpace
HKCR\AppID\Scaggy.DLL
HKCR\AppID\Scaggy.DLL#AppID
HKCR\Scaggy.Insert
HKCR\Scaggy.Insert\CLSID
HKCR\Scaggy.Insert\CurVer
HKCR\Scaggy.Insert.1
HKCR\Scaggy.Insert.1\CLSID
HKCR\AppID\{90A52F08-64AC-4DC6-9D7D-451667029898}
HKCR\TypeLib\{90A52F08-64AC-4DC6-9D7D-451667029898}
HKCR\TypeLib\{90A52F08-64AC-4DC6-9D7D-451667029898}\1.0
HKCR\TypeLib\{90A52F08-64AC-4DC6-9D7D-451667029898}\1.0\0
HKCR\TypeLib\{90A52F08-64AC-4DC6-9D7D-451667029898}\1.0\0\win32
HKCR\TypeLib\{90A52F08-64AC-4DC6-9D7D-451667029898}\1.0\FLAGS
HKCR\TypeLib\{90A52F08-64AC-4DC6-9D7D-451667029898}\1.0\HELPDIR

Adware.Think-Adz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Think-Adz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Think-Adz#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enhanced Ads by Think-Adz#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Think-Adz Search Assistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Think-Adz Search Assistant#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Think-Adz Search Assistant#UninstallString

Adware.ClickSpring/Outer Info Network
C:\Documents and Settings\Administrator.RC18227\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Administrator.RC18227\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Administrator.RC18227\Start Menu\Programs\Outerinfo

Adware.Web Buying
HKU\S-1-5-21-4189721917-290644608-3456947449-500\Software\WebBuying

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.RC18227\DESKTOP\CLICK TO FIND AND FIX ERRORS.URL

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.RC18227\LOCAL SETTINGS\TEMP\WINANTIVIRUSPRO2007FREEINSTALL.EXE

Adware.RAC
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.RC18227\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KRBZUKD5\ACDT-PID67N[1].EXE

Adware.eZula
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.RC18227\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\UPNWTWNQ\TOB_SND_20070616[1]

Adware.k8l
C:\PROGRAM FILES\MSN GAMING ZONE\ZYSOJAD.HTML

Adware.WebBuying-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP588\A0317482.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP589\A0317510.EXE
C:\WINDOWS\SYSTEM32\S6\WR613.EXE

Adware.SysMon
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP589\A0317536.EXE
C:\WINDOWS\SYSTEM32\S1\BK53.EXE

Trojan.Downloader-WebBuying/PopEngine
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP589\A0317541.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP591\A0318961.DLL

Trojan.Downloader-ClickSpring/NDrv
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP591\A0318963.DLL

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP591\A0318964.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5B942C52-3EC6-4393-ADAF-2DA421A20CCE}\RP591\A0318965.EXE
C:\WINDOWS\WBUN.EXE
C:\Windows\Prefetch\WBUN.EXE-060F5402.pf

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B103.EXE
C:\WINDOWS\B104.EXE

Spyware.RelevantKnowledge
C:\WINDOWS\ITPB_3.EXE

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\DWDSREGT.EXE
C:\Windows\Prefetch\DWDSREGT.EXE-373063D8.pf

Trojan.Downloader-Gen/BundleBase
C:\WINDOWS\SYSTEM32\O02PREZ\O02PREZ1065.EXE

Trojan.PreUninstallHL/32
C:\WINDOWS\SYSTEM32\PREUNINSTALLHL.EXE

Trojan.Rootkit-TnCore/Installer
C:\WINDOWS\SYSTEM32\S4\WEN2.EXE

Adware.Unknown Origin
C:\WINDOWS\SYSTEM32\ZXDNT3D.CFG

Trace.Known Threat Sources
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temp\Temporary Internet Files\Content.IE5\7NBBF0L9\Layout[1].js
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\WHE7O5AV\config[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\TXBUP1HB\campaigns7[1].encrypted
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\DO9PF8C8\client_settings_3[1].bin
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\KRBZUKD5\cache[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\OJNZAKXD\bundle[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\KPMQVJ5O\addisplay[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\NZL3NP4O\addisplay[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\WHE7O5AV\addisplay[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\Y9167AXC\addisplay[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\KPMQVJ5O\config[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\JGWN5XO1\addisplay[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\KPMQVJ5O\styler[1].css
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\05UNC5EZ\main.shadow.top[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\UPNWTWNQ\nf404[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\8ENPUMD5\scan.bar[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\05UNC5EZ\page.screenshot[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\5CSZLLWX\shield-pro-3[1].htm
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\8ENPUMD5\main.shadow.btm[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\Q2FL2WM9\scan.bg[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\3F1ZJTGK\solution[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\TXBUP1HB\icon.arrow[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\X3L91NA2\scan.txt[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\TXBUP1HB\button.download[1].gif
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\NZL3NP4O\ffa_mv20070611[1]
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\3F1ZJTGK\koocwolla_20070601[1]
C:\Documents and Settings\Administrator.RC18227\Local Settings\Temporary Internet Files\Content.IE5\NZL3NP4O\nauj_20070613_1[1]














Logfile of HijackThis v1.99.1
Scan saved at 7:27:12 PM, on 6/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Documents and Settings\Administrator.RC18227\Desktop\AVG Anti-Spyware 7.5\guard.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Documents and Settings\Administrator.RC18227\Desktop\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\EZ-DUB\EZ-DUB.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{7E-EB-B0-0E-ZN}] c:\windows\system32\dwdsregt.exe CHD003
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Administrator.RC18227\Desktop\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\Windows\system32\fadlrmxc.dll",realset
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\modsregs.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.218 - http://64.85.20.102/Java/cfs31218.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: Microsoft WFC Forms Designer - file://E:\VJ98\wfcforms.cab
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://E:\VJ98\vstudio6.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt2_x.cab
O16 - DPF: Yahoo! GoStop - http://download.game...ts/y/gst1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potg_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt1_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish...fishActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave...h2.1.0.0.53.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c24.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.game...itched/main.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.game...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.game...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Administrator.RC18227\Desktop\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\Windows\system32\drivers\KodakCCS.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
  • 0

Advertisements


#2
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hello and Welcome to Geeks to Go.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.
  • 0

#3
victoria_nichol

victoria_nichol

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Ok, take your time and thanks so much.
  • 0

#4
MoNsTeReNeRgY22

MoNsTeReNeRgY22

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,539 posts
Hello victoria_nichol. :whistling:

1)Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\Windows\system32\fadlrmxc.dll

Click on the submit button

Please post the results in your next reply.

2)Posted ImagePlease download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3)Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:
Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.gee...structions.html


4)Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

5)Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
6)Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

7) Pleae post the following in your next reply:
  • Jotti Results
  • Blacklight Log
  • ActiveScan report
  • Fresh HJT Log
  • uninstall_list.txt

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP