[Yarnouth]

You may have Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks. Anything protected by Hacker Defender is a real pain to find and remove.
In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan....torv0[1].62.zip

If you are infected you can try the following: If your system drive (usually C is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt.

If your system drive is formatted with the NTFS file system, download Bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a pre installed environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.

You can read more on HackDefender here: http://bagpuss.swan....comms/hxdef.htm

[Advertisements]

It's the same thing again mate, It wont open the downloaded zip file, it says in Task Manager that Winzip is running 98% but nothing's happening.

[tommkell]

It's the same thing again mate, It wont open the downloaded zip file, it says in Task Manager that Winzip is running 98% but nothing's happening.

[Yarnouth]

We do in fact have a big problem here. Are you able to use another pc to at least download these tools. When you have them on disc you can then see which you can run on your own after we kill some of the bad programs running here. Or it could be Windows itself.

More importantly for now, i need you to jot down all the processes in your task manager and post them here. Dont worry about size, just be sure to spell them correctly as they show...case sensitive. Thanks

[tommkell]

OK here they are:
OPERA.EXE
WZQKPICK.EXE
CalCheck.exe
Netscp.exe
SpySweeper.exe
Freedom.exe
ctfmon.exe
mwsoemon.exe
taskmgr.exe
Winampa.exe
realsched.exe
JUSCHED.EXE
E_S10IC2.EXE
EXPLORER.EXE
WDFMGR.EXE
SVCHOST.EXE
SAgent2.exe
AVGSERV.EXE
SPOOLSV.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
SVCHOST.EXE
LSASS.EXE
SERVICES.EXE
WINLOGON.EXE
CSRSS.EXE
SMSS.EXE
dtnav.exe
System
System Idle Process

[Yarnouth]

Ok can you uninstall Freedom. And see if you get back some pc usage from there. You could have your Windows Firewall running to, but if not make sure it is for your protection
You might have three anti virus scanners running.

[tommkell]

It wont let me remove it from add/remove programs in control panel. An install shield box is coming up loading halfway then disappearing.

[Yarnouth]

Ok, stop AVG from running. We need to work on getting speed back. In task manager stop avg. Let me know now if it works.

[tommkell]

OK stopped Freedom and AVG in task manager.

[Yarnouth]

So how is your pc usage? can you uninstall one of the visrus programs?

[tommkell]

Nope, It's exactly the same as before.

[Yarnouth]

Ok i missed this one. Uninstall if you can mwsoemon.exe Check in Program files for a folder called: mywebsearch, my search bar, myspeedbar (or anything that looks like this )Also look for Fun Web Products Easy Installer and remove that too if you find it
If you can't uninstall, kill the process mwsoemon.exe in task manager and if that doesnt work because it starts mwsoemon.exe1~ or whatever let me know.

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files in bold (if found):

mwsoemon.exe

Try Hijack after this.

[tommkell]

OK mate, I couldn't find any in program files but I rebooted in safe mode and searched for the files. 2 were mwsoemon e-mail plug-ins and 1 was a mwsoemon PF file . These are now deleted but there is still no change although mwsoemon isn't in task manager anymore. By the way they were mywebsearch files, if that makes any sense to you cos it doesn't to me. Thanks,, tom

[tommkell]

Hello Thatman, I'm not sure how to do this. I renamed it on the desktop but then it becomes Hijackthis.com.exe, and still doesn't work. I don't know how to change the exe bit at the end.