1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Loaded.exe

Discussion in 'Windows XP' started by CraigMB, Jul 26, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    I was playing a game of checkers on flyordie.com and something started downloading without my consent and then its like a picture was tryin to come up but it said no image .my cursor started blink with the curson then the hour glass over and over and it keeps sayin my computer is in danger it is infeted i restarted and now a icon appears on my desktop loaded.exe but when i click obn it it says loaded.exe is not a win32 application ....whatr is goin on did i get hi jacked ? i'm running a sweep with spysweeper as i type...any info would help

    Now it keeps wantin me to download brave serenty ....and about 10 mins later a pop up came up sayin a computer tracks all computer fioles and websites u been to that could ruin your marriage and all that junk to install clean drive click ok? what is that i hit no ..jus thought u might want to know
     
  2. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Hello, CraigMB. Welcome. You have been wise not to click on those pop-ups or the ad for the bogus scanner. Those are trouble for sure. Let's see if we can get the perpetrator off of your system.

    * Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Doubleclick on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    Logfile of HijackThis v1.99.1
    Scan saved at 5:47:49 AM, on 7/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\SOUNDMAN.EXE
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\program files\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
    C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\811d2a9a.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\system32\DllHost.exe
    C:\Program Files\Morpheus\Morpheus.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltel.net/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
    O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
    O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152860785\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [811d2a9a.exe] C:\WINDOWS\system32\811d2a9a.exe
    O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [811d2a9a.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe
    O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
     
  4. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Save that textfile to your desktop.


    Now, we need to disable AOL Spyware Protection:

    • 1.
      From the Start menu, click Programs, then America Online, and then AOL Spyware Protection.
      The AOL Spyware Protection window opens.
      2.
      On the left of the Spyware Protection window, click the Settings tab.
      3.
      Clear the Actively Scan For New Potential Spyware check box.
      Note: A selected check box indicates AOL Spyware Protection is enabled (on), and a cleared check box indicates AOL Spyware Protection is disabled (off).
      4.
      Close the AOL Spyware Protection window.
      Note: To enable AOL Spyware Protection, select the Actively Scan For New Potential Spyware check box.

    Next, we need to disable Spysweeper:

    Open it, click >Options over to the left then >program options >Uncheck "load at windows startup".
    Over to the left click shields and uncheck all there.
    Uncheck "home page shield".
    Uncheck "automaticly restore default without notifiction".


    Then, please open up HijackThis again, click on "Do a system scan only", and when it finishes scanning, place a check before the following lines:

    O4 - HKLM\..\Run: [811d2a9a.exe] C:\WINDOWS\system32\811d2a9a.exe

    O4 - HKCU\..\Run: [811d2a9a.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe

    Then make sure ALL windows are closed except HijackThis and hit the "Fix checked" button.


    You will want to print out the following instructions or copy them to Notepad as you will not have internet access while in Safe Mode.

    Now, boot the computer into Safe Mode. Click here for instructions on how to boot into Safe Mode.

    In Safe Mode, navigate to and delete the following files marked in bold. Delete ONLY the part in bold

    C:\WINDOWS\system32\811d2a9a.exe

    C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe

    Empty the Recycle Bin.

    Reboot the computer back into Normal Mode, scan with HijackThis again, and this time, save a logfile and post that new logfile back here along with the report from SmitfraudFix.
     
  5. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    Well to be honest ...i havent got Aol On programs list


    Well bad news ...Someone installed the clean drive and registery cleaner 4.0 when i wasnt at home....and system doctor....
     
  6. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    OK, no problem. I noticed the AOL thing in the startup list, but it doesn't show in the running processes. I just wanted to be sure that nothing was going to block the HijackThis fixes. That's the reason for disabling such programs. Just go ahead with the rest then, and feel free to ask for help if you need it.
     
  7. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    ok i was in safe mode but i didnt know where to bnavigate to find In Safe Mode, navigate to and delete the following files marked in bold. Delete ONLY the part in bold

    C:\WINDOWS\system32\811d2a9a.exe

    where do i do this at
     
  8. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    What that means is that you won't want to delete the "Windows" folder, you won't want to delete the "System 32" folder, but you want to delete the file named 811d2a9a.exe that resides inside of the System 32 folder. Here's how to navigate to that file:

    Click "Start" > "All Programs" > "My Computer" (click on My Computer)
    You will now see some folders, one of which is named "C:" -- Click on the C: folder.

    Now, you should see lots of folders, one of which is named "Windows" -- Click on Windows.

    Now, you should see lots more folders and a bunch of files below them, one of which is named "811d2a9a.exe" (should be a file beneath all of the folders) -- Right-click on 811d2a9a.exe and click on "Delete" from the drop-down list. Then click "Yes" to confirm the deletion.

    Navigate to the "Application Data" folder the same way (by following the file path one folder at a time), and delete 811d2a9a.exe from it too.
    -------------------------------------------------------
    If you can't find the files that way, you can try using XP's search function to find the files. Here's how:

    Click "Start", then click on "Search" (where the magnifying glass is), then click "All files and folders". Then click "More advanced options". Place a check in the boxes by "Search system folders", "Search hidden files and folders", and by, "Search subfolders". Now, in the top box, type in 811d2a9a.exe and hit the "Search" button. Let it search the system and when it finds the file, right-click on that file only and then click "Delete". Delete any files named 811d2a9a.exe, but don't delete any other files with different names if the search window presents them.
    -------------------------------------------------------
    If you can't find the file by using either method, then that means that HijackThis has already deleted them. In that case, don't worry about it; they're gone.

    The reason we do it from Safe Mode is that sometimes files can be stubborn about being deleted from Normal Mode.

    Hope that helps.
     
  9. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    thank you for bein so elaborate,I couldnt find it by navigating but i used the search method and and application icon showed and it was named 811d2a9a but didnt have the exe and i right clicked and clicked delete but it said the cannot delete the file access denied make sure the file is not full or write protected or in use
     
  10. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    OK. Run that same search again, and this time go ahead and delete that application icon and anything else named 811d2a9a .
    Now, just for good measure, open up HijackThis, click on the "Open the Misc. Tools section", click on "Delete a file on reboot", and when the "Enter file..." window pops up, copy and paste the following line into the space that says "File name":

    C:\WINDOWS\system32\811d2a9a.exe


    Then when HijackThis asks you if you would like to restart the computer now, click No.

    Click on the "Delete a file on reboot" button again and this time copy and paste in the following line:

    C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe


    This time, go ahead and click "Yes" when it asks you if you want to restart the computer now.

    After the restart, Do another search for 811d2a9a and see if anything comes up again.

    Run another HijackThis scan, post the log here and also post the log from SmitfrardFix.
     
  11. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    Hijackthis log and the smit log

    Logfile of HijackThis v1.99.1
    Scan saved at 1:03:24 AM, on 7/29/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alltel.net/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152860785\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [811d2a9a.exe] C:\WINDOWS\system32\811d2a9a.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [811d2a9a.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe
    O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    Ok Heres the Smit log

    SmitFraudFix v2.75b

    Scan done at 23:35:00.56, Wed 07/26/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\xpupdate.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\dlh9jkdq?.exe FOUND !
    C:\WINDOWS\system32\kernels8.exe FOUND !
    C:\WINDOWS\system32\taskdir.exe FOUND !
    C:\WINDOWS\system32\taskdir~.exe FOUND !
    C:\WINDOWS\system32\vxgamet?.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  12. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Reboot the computer back into Safe Mode.

    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Run another fresh HijackThis scan as well and post the new log back here too along with the SmitfraudFix results.
     
  13. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    Logfile of HijackThis v1.99.1
    Scan saved at 9:11:26 PM, on 7/31/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Digital Media Reader\shwiconem.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1152860785\EE\AOLHostManager.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [811d2a9a.exe] C:\WINDOWS\system32\811d2a9a.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [811d2a9a.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe
    O4 - Global Startup: ALLTEL DSL Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/ALLTEL/static/controls/WebflowActiveXInstaller_2-0-0.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - Unknown owner - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe




    SmitFraudFix v2.75b

    Scan done at 2:54:03.54, Mon 07/31/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  14. CraigMB

    CraigMB Thread Starter

    Joined:
    Jan 29, 2006
    Messages:
    638
    Now my connection keeps goin and comin back...I have dsl so i dont know whats up the dsl lights keeps turning off and then showing the light again any idea ?
     
  15. kdd9

    kdd9

    Joined:
    Mar 24, 2005
    Messages:
    516
    Please download Ewido to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install Ewido by double clicking the installer.
    • Follow the prompts. Make sure that Launch Ewido is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.


    Download Killbox from here.
    Unzip it to the desktop.

    Download Blacklight from here. Save it to your desktop.

    Print out the following instructions or copy them to Notepad as you will not have internet access from Safe Mode.

    Now reboot the computer into Safe Mode.

    Something seems to be blocking the fixes, so make sure Webrooot SpySweeper is disabled after every reboot.
    We will enable it again when we are finished.

    Open SpySweeper, click >Options over to the left then >program options >Uncheck "load at windows startup".
    Over to the left click shields and uncheck all there.
    Uncheck "home page shield".
    Uncheck "automaticly restore default without notifiction".

    Now let's repeat the Smitfraud fix:

    Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Safe Mode. If it does reboot the computer, then you reboot it back into Safe Mode.

    A text file will appear onscreen, with results from the cleaning process; save it and post with the next reply.

    Make sure SpySweeper is disabled again.

    Open HijackThis, do a system scan only, and when it finishes, place a check before the following lines:

    O4 - HKLM\..\Run: [811d2a9a.exe] C:\WINDOWS\system32\811d2a9a.exe

    O4 - HKCU\..\Run: [811d2a9a.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe

    Then make sure ALL windows are closed except HijackThis and hit the "Fix checked" button.

    Now, double-click Killbox.exe to open it.

    Select "Delete on Reboot".
    Click the "All Files" button.
    Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox: (You can just copy and paste it in there if you wish.)
    C:\WINDOWS\system32\811d2a9a.exe
    Make sure there is a mark next to "Delete on Reboot"
    Click the red-and-white "Delete File" button. Click "No" at the Reboot prompt.
    Place the following line (complete path) in bold in the "Full Path of File to Delete" box:
    C:\Documents and Settings\Owner\Local Settings\Application Data\811d2a9a.exe
    Click the red-and-white "Delete File" button.
    Click "Yes" at the Reboot prompt.
    Click "No" at the Pending Operations prompt.
    If your computer does not restart automatically, please restart it manually. Boot it into Safe Mode again.

    Make sure SpySweeper is disabled again.

    Run ewido:

    Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
    • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
    [*]Under How to scan?
    • All checkboxes should be ticked.
    [*]Under Possibly unwanted software:
    • All checkboxes should be ticked.
    [*]Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
    [*]Under What to scan?
    • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
    [*]When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
    • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.


    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.


    Now, double-click that blue icon on the desktop that says, "blbeta" on it to launch Blacklight.
    Accept the license agreement.
    Press the Scan button.

    When the scanning is done, the Next button will become available and you should click on it. If Blacklight did not find any hidden items you will see a screen showing that no hidden items were found. You can then press the Exit button to exit the program as Blacklight did not find any rootkits on your computer. If on the other hand, Blacklight did find some hidden items, you will be presented with a screen showing a list of the processes and files hidden on your computer.

    Blacklight, when it performs a scan, will create a log file in the same folder that you ran the program from. That folder should be your Windows Desktop. The file name of the log file will start with fsbl- followed by the data and some other numbers. An example is fsbl-20060518203951.log.

    Run HijackThis again from Normal Mode, save the logfile, and post it back here along with the logs from SmitfraudFix, ewido, Kaspersky and Blacklight.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/486454

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice