Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Home page changed about:blank [RESOLVED]


  • This topic is locked This topic is locked

#1
hesnotthemessiah

hesnotthemessiah

    Member

  • Member
  • PipPip
  • 24 posts
Hi there. My home page has been changed to about:blank and I keep getting and "access denied" when tring to access some sites such as Geeks To Go plus I am getting constant "warnings" about my PC being "watched" and getting links to "clean my system".


Logfile of HijackThis v1.99.1
Scan saved at 20:36:55, on 06/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Documents and Settings\Neville Tubb\Desktop\HijackThis.exe
C:\VIRUS\SpywareBlaster\spywareblaster.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KAVPersonal50] "C:\VIRUS\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for ¸ć" : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...2335/model.html
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\\Recycler\\Q678341.exe
O23 - Service: WindowInstallSystem (edd392f81bfsvr) - Unknown owner - C:\WINDOWS\edd392f81bf.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\VIRUS\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks for your help. :tazz:
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Please print these instructions out, or write them down, as you can't read them during the fix. Be sure to ask any question(s) before proceeding the fix.

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Now do this;

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; WindowInstallSystem (edd392f81bfsvr)

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\System32\edd392f81bf.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "Yes".
When rebooting, boot your computer in Safe Mode by doing the following:

1) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
2) Instead of Windows loading as normal, a menu should appear
3) Select the first option, to run Windows in Safe Mode.


Run a scan with HijackThis and check the following objects for removal;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...2335/model.html
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\\Recycler\\Q678341.exe
O23 - Service: WindowInstallSystem (edd392f81bfsvr) - Unknown owner - C:\WINDOWS\edd392f81bf.exe


Close any other open windows and/or open browser, making sure that the above mentioned objects are all checked - hit "Fix Checked".

Exit HiJackThis.

Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Go to -> Start -> Control Panel -> Add/Remove programs and uninstall the following entry;

Viewpoint Manager

Exit Control Panel.

Using Windows Explorer, locate the following files/folders and delete if present;

C:\WINDOWS\System32\edd392f81bf.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ <= Entire Folder
C:\WINDOWS\edd392f81bf.exe


Run CleanUp! and but don't reboot yet.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: edd392f81bfsvr
  • Click "ok", then reboot
Run this online scan, let it fix anything it can;
Panda Activescan

Post the results of Panda ActiveScan here along with the Ewido log as well as a fresh HiJackThis log.

- Rawe :tazz:
  • 0

#3
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Rawe. Thanks for your help. You people are great!! :tazz:

Anyways, I have a problem - when I run services.msc I don't get WindowInstallSystem (edd392f81bfsvr) . The closest I get is Windows Installer.

I reran hijackthis just to make sure there had been no changes and there doesn't seem to be any since I last ran hijack this and sent the previous log file:-

Logfile of HijackThis v1.99.1
Scan saved at 01:03:39, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
C:\VIRUS\SpywareBlaster\spywareblaster.exe
C:\Documents and Settings\Neville Tubb\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KAVPersonal50] "C:\VIRUS\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for ¸ć" : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...2335/model.html
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\\Recycler\\Q678341.exe
O23 - Service: WindowInstallSystem (edd392f81bfsvr) - Unknown owner - C:\WINDOWS\edd392f81bf.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\VIRUS\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


Hope you can help.

Thanks again.
  • 0

#4
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi there hesnotthemessiah :)

I will be taking over this log from Rawe, so let me read through it and then I will post again ;)

UKBiker

ps hes a very naughty boy :tazz:
  • 0

#5
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Thanks ukbiker. Just popping off to bed now!! I'm not really that naughty, honest :tazz: (I should be so lucky!)
  • 0

#6
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Sorry, me again. I should have let you know that I will probably be up and about by about 2.30PM so will be able to check my emails from about then onwards.

About the username - I did originally want to use the username "a very naughty boy" when I first got onto the internet and joined a forum but found on that forum that someone was already using it :tazz: - so I went one better and used "hesnotthemessiah" instead! ;)

Thanks again for your help.


Now I'm off to the land of nod.....................
  • 0

#7
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Good evening ukbiker. I have noticed, when switching on my PC that I now have, in my desktop background, a red square with "Your IP logged. Security risk level - high. Youre beeing(sic) watched etc. etc. click here to stop the threat. Download free tracks removal." There is also a "System" box that appears (not sure what term to use but by box I mean the usual small grey panel with the option to cancel or click OK) which advises to select to connect to the website to download the track removal software (how decent of them!). :tazz:

When I am on the internet I often get a Microsoft Internet Explorer box appear when ever I go to a new page advising "Internet Explorer cannot open the Internet site http://address of page I am trying to view.......... . Operation aborted" If I click OK (the only option it gives) then it closes Internet Explorer. If I close the window with the "X" then I get a blank internet page and can use the "Back" function which will take me to the page I should be looking at.

Hope that helps.


Thanks again.
  • 0

#8
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi again :tazz:


Please print these instructions out then boot into safe mode.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools"

Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to this file

C:\WINDOWS\System32\edd392f81bf.exe


and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the NO button


Now, back in MiscTools, click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

edd392f81bfsvr

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.


UKBiker
  • 0

#9
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Just to add to the last post - my DVD drive now keeps on opening - even when I am not doing anything on the PC! The last time it did this the "System" box, which advises to select to connect to the website to download the track removal software, appeared again (I don't think there is any connection between this "System" box and the DVD drive opening - or me closing the drive, as they don't always seem to happen together). Somehow I selected OK (I didn't click on the box but was typing a text document at the time) and it connected to the site. I quickly switched off the router and then my PC seemed to freeze for a bit then a lot of "runtime error" windows appeared. I don't think my PC connected to the site.

Hopefully that is it for now!

Thanks again.
  • 0

#10
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Me again. ;) just read your last message and about to carry out your instructions. I haven't got a printer here - would it be OK to copy this page to an external hard drive so I can view it on my other PC? I am getting a bit paranoid! :tazz:


Cheers.
  • 0

Advertisements


#11
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Yep. no problems with that.
  • 0

#12
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi. Couldn't find the file C:\WINDOWS\System32\edd392f81bf.exe and then when trying to "Delete an NT Service" and entering edd392f8bfsvr a message popped up "The service edd392f8bfsvr is enabled and/or running. Disable it first, using HijackThis itself (from the scan results) or the Services.msc window". I then tried using the Windows search option (including hidden files and subfolders etc.) but still no files with edd392f81bf found.

Would my reply to Rawe in post#3 have anything to do with this? Rawe gave me instructions in post#2 but I was unable to carry them out becase when I ran services.msc I was unable to find WindowInstallSystem (edd392f81bfsvr).

Here is the latest logfile of HijackThis:-

Logfile of HijackThis v1.99.1
Scan saved at 21:26:10, on 07/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\mgabg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\VIRUS\SpywareBlaster\spywareblaster.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Neville Tubb\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [KAVPersonal50] "C:\VIRUS\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\VIRUS\Kaspersky Anti-Hacker\KAVPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for ¸ć" : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...2335/model.html
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\\Recycler\\Q678341.exe
O23 - Service: WindowInstallSystem (edd392f81bfsvr) - Unknown owner - C:\WINDOWS\edd392f81bf.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\VIRUS\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks. :tazz:
  • 0

#13
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi again :tazz:

I will need to do a bit of research here, but in the meantime, would you please :-

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Ensure that all your security applications are fully updated.

3) Tell me what the website you are being invited to go to is called?

I will post again ASAP

UKBiker
  • 0

#14
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi again ;)

lets try this..

please rescan with HJT. place a check mark against these items

O4 - HKLM\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O4 - HKCU\..\Run: [edd392f81bf] C:\WINDOWS\System32\edd392f81bf.exe
O16 - DPF: {10000000-1000-0000-0000-000000000000} - file://C:\\Recycler\\Q678341.exe


Close all windows and browsers other than HJT and click "Fix". Exit HJT

Reboot into Safe mode.

In safe mode, go to (text in parenthesis are my instructions to you)

start > run > cmd (then type in ) sc stop edd392f81bfsvr (press enter)
(repeat this , only this time, type) sc delete edd392f81bfsvr (press enter)

Reboot into normal mode. Rescan with HJT and post a new log here for me.

Good Luck :tazz:

UKBiker
  • 0

#15
hesnotthemessiah

hesnotthemessiah

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi there ukbiker. I have downloaded Killbox, unzipped it and now have Killbox.exe on my desktop. All my security apps are upto date. The website I have been invited to is "URL removed" (I made sure and unplugged my router first and then clicked the "Download Free Tracks Removal" on my desktop.

Thanks for your time with this. Much appreciated. If only I could send a pint via email! :tazz:

Thanks, i have removed the url to be safe.

Edited by ukbiker, 07 August 2005 - 06:21 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP