Alert Maliscious script System[1].exe.js

See this thread:

http://forums.majorgeeks.com/showthread.php?t=41716

let me know if that helps.

If not, you should first run thru: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

Are you still getting that message?

Do the below:
Run Internet Explorer and click this sequence Tools, Internet Options, Security, Internet.
Click on the lower right the Default Level button then click OK.
Now click the Custom Level button.
In the ActiveX controls and plugins section:
1) set "Download signed ActiveX controls" to 'Prompt'.
2) set "Download unsigned ActiveX controls" to 'Prompt'
3) set "Initialize and Script ActiveX controls not marked as safe" to 'Disable'.
Now when software attempts to be installed on your system, you will be asked whether you want ActiveX objects to be executed.

Some people recommend putting sites that you know and trust into the "Trusted Zone" in Internet Option,Security. I recommend not doing that. This way if anything ever appears there at all, you know it should not be there and you do not need to guess what to do with it (always
remove it).

If you are having other problems do what I gave you in my first message:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

Please just answer this question:

Did you run all steps in
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

 

Please download HijackThis version 1.98.2 and following the guidelines in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

Post your HijackThis log as a .txt file attachment.

Make sure you shutdown all un-necessary applications (especially all browsers) before running a scan. Do NOT run Hijack This from the Desktop, a temp folder or choose run from inside the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Okay go back an read that HJT tutorial again though. I'm still going to work on your log but note a couple points you missed from the tutorial:

Make sure you shutdown all un-necessary applications (especially all browsers) before running a scan. Do NOT run Hijack This from the Desktop, a temp folder or choose run from inside the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


You had three browsers open! Don't do that anymore.
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

And you put HijackThis on your Desktop! Fix this!
C:\Documents and Settings\John\Desktop\Extract\hijackthis\HijackThis.exe

 

First check Add/Remove Programs to see if there is an uninstall for MyWay or MyWeb or MyWebSearch or something similar. If so, use it to uninstall.

Please bring up Windows Explore by right clicking Start and then choose Explore. Now select your C drive. Just look thru the directory list and tell me how many directories begin with \progra (disregard whether uppercase or lower case). If more than just \Program Files , tell me exactly whatelse. I'm wondering why HijackThis shows the two below items differently:
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

Okay now for the cleanup:
Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:
regsvr32 /u MYBAR.DLL
then click OK. If a dialog box confirming this action appears, click OK.


Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End it:
KHost.exe
upload 32 coal.exe or coal.exe
PLATFORM KIND.exe or kind.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gsvzazwznjlvhzd.info/6KElRtUgXZMrLMnmDb66hQzHuTmPJz2Tf7_Qk8sM5M0NSeGNobHU3miRyPnpZp6f.htm
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {F43C1C15-A7FC-5A09-DE8A-74F3F7B74A54} - C:\PROGRA~1\DEFAUL~1\WAY SAFE.exe
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Enc Creative] C:\PROGRA~1\Freecorn\upload 32 coal.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Chic cake for hide] C:\Documents and Settings\All Users\Application Data\dent window chic cake\PLATFORM KIND.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.co
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

Now reboot in safe mode and delete:
C:\Program Files\MyWay <--- the whole directory
C:\PROGRA~1\Freecorn <--- the whole directory
C:\Documents and Settings\All Users\Application Data\dent window chic cake <--- the whole directory
C:\WINDOWS\kdx\KHost.exe

Reboot normal mode and create a new HijackThis log to post. And tell me how the above steps went and how things are working.

 

Hi,
What he means is he suspects c:\progra~1 could be a problematic folder because there should be (and is) a c:\Program Files directory. So to be sure, he would like you to browse your drive using Windows Explorer and see if there are and folders starting out c:\progra

An easy way to do this is to double click My Computer on your desktop, then click the c:\drive where you will see a list of all folders on your computer. Make sure there is nothing starting out progra EXCEPT for "Program Files"

Hope that helps.

 

Exactly MA! Thanks for the backup!

I want to be sure on this one. I have seen it a couple time recently and I starting to wonder if it is just a qwirk in HijackThis reporting. Sometimes the path is spelled out and sometime it uses the 8 character name abbreviation. Have seen it on c:\Documents and Settings too. So I want to be sure we do not have bogus directories.

 

No! You are looking for anything on your C drive in the root directory (that is c:\) that begins with progra (ignore upper/lower case). You have at least one. And that is c:\Program Files.

 

That's fine! Just keep going with the steps.

 

You had a bunch of problems! Some of them are now fixed.

Did you fix this line with HJT:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jdggqhbyaebukkdqvkf.com/6KElRtUgXZMrLMnmDb66hQzHuTmPJz2Tf7_Qk8sM5M2/GiCbIDGFtXiRyPnpZp6f.html


It's back. Did you no that Messenger Plus installs spyware & a lop hijacker and that's why we don't have it as a download on Majorgeeks? Did you read the license agreement?

 

You did not need to get rid of MSN Messenger. It is okay. It is from Microsoft. The Messenger Plus 3 is the one that is problematic. If you need a messenger program, my friends here on MG's recommend one of these 3 "Multi" format programs GAIM or Trillian or Miranda. All are downloadable here http://www.majorgeeks.com/downloads33.html .

Does that R0 line still show in a HijackThis log? Just take a look yourself.

 

The below link discusses a similar issue. See if you can relate any of the steps to your problem and follow thru the procedure to resolve your issue in a similar manner:

http://world.casio.com/qv/support/en/info/winxp_sp2_b.html

Or you could first go here to Microsoft:

http://support.microsoft.com/default.aspx?kbid=843017


Further educational reading:
http://www.phdcc.com/xpsp2.htm

Let me know if this helps.

 

For this one, I think yo need to post you OS, your mail reader program, and your problem in a new thread over in the software forum.

 

You're welcome!