trojan problems. attached logs

phattcat · Nov 30, 2006

hi. i have problem with browser hijacking and generally slowing down of my pc (xp)
i have done all the scans which has taken ages so i hope i did them correctly but i think i still have the problems.
i have done logs for the first 5, please tell me if i should do the hjt one

thanks in advance!

phattcat · Nov 30, 2006

continued

the other two

chaslang · Dec 1, 2006

Re: continued

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!!

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

How are things working now?

phattcat · Dec 1, 2006

thanks for your quick reply. here is the smitfraut log you requested.

chaslang · Dec 1, 2006

You need to do the second part of that message and attach the second rapport log too and then follow with the other 3 requested logs.

phattcat · Dec 1, 2006

okay done all of those logs.
i don't think the browser problem is cured sadly. and generally loading of pages is a bit slow (if they do load that is). i hop these logs hold the answer
thanx man!

phattcat · Dec 1, 2006

other three

chaslang · Dec 1, 2006

phattcat said:

okay done all of those logs.
i don't think the browser problem is cured sadly. and generally loading of pages is a bit slow (if they do load that is). i hop these logs hold the answer
thanx man!
Click to expand...

You have a lot of problems! We are working thru them slowly! If I had tried to post a single cleanup procedure, it would have confused you because it would have been huge. Also it probably would not have worked properly because some malware actually interferes with the removal of other malware. In additon, when some malware is removed other malware that was not even seen before may show up because the first malware was masking it. So what I'm saying is a step by step procedure for each problem is needed.

Please run this procedure: WareOut Removal and attach the requested log afterwards.

Also Run HijackThis and select the following lines (if still present) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Update Service] "C:\Program Files\Common Files\Teknum Systems\update.exe" /startup
O17 - HKLM\System\CCS\Services\Tcpip\..\{417355E7-35F5-496F-872D-2ABE806EDF48}: NameServer = 85.255.116.116,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\..\{754CAA13-C938-42EF-A8CF-3402045F6D16}: NameServer = 85.255.116.116,85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.116 85.255.112.175
O17 - HKLM\System\CS1\Services\Tcpip\..\{417355E7-35F5-496F-872D-2ABE806EDF48}: NameServer = 85.255.116.116,85.255.112.175
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.116 85.255.112.175
O18 - Protocol: bw+0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {FA7E36B9-337C-4972-9CB9-EA27D3FDDFFF} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O21 - SSODL: yPLfMsAbMn - {2C6BD4C2-86C1-7E68-43CA-0B245FCBED33} - C:\WINDOWS\system32\ndcce.dll (file missing)

After clicking Fix, exit HJT.

Now attach the below new logs and tell me how the above steps went.

HJT

phattcat · Dec 2, 2006

okay did those new logs. btw webpages don't seem to be redirecting.
thanx mate, hope these logs help.

chaslang · Dec 2, 2006

First Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2_05

Now we need to remove an old Symantec Service

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Symantec Network Drivers Service

then right click the entry, select Properties and press Stop Service.

When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

Click OK until you get back to Windows.

Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.

At the lower right, click on the Config button

Then click the Misc tools button

Select Delete an NT Service

Copy/pasteSNDSrvc into the box that opens, and press OK

If you receive any error messages just ignore them and continue.

Now exit HJT and reboot if it tells you it needs to.

Make sure viewing of hidden files is enabled (per the tutorial).

Use Windows Explorer to delete the below file. If it will not delete, try booting in safe mode to delete it. If you don't find it, that's okay, just continue onto the next steps.
C:\WINDOWS\SYSTEM32\CSIFA.EXE

Now run Ccleaner.

Now reboot in normal mode if you had to boot to safe mode above to delete the file.

Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\StartupFaster\LDM]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\StartupFaster\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\StartupFaster\dmahp.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\StartupFaster\KernelFaultCheck]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\StartupFaster\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\StartupFaster\SunJavaUpdateSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run\StartupFaster\TkBellExe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ActivSurf]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MessengerPlus2]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/mwsearch.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.2/mwsearch.dll]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"yPLfMsAbMn"=-
Click to expand...

Now download the current version of ShowNew. Yours is out of date. Extract it right over the old version.

Now attach the below new logs and tell me how the above steps went.

GetRunKey

ShowNew

HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

phattcat · Dec 2, 2006

Use Windows Explorer to delete the below file. If it will not delete, try booting in safe mode to delete it. If you don't find it, that's okay, just continue onto the next steps.
C:\WINDOWS\SYSTEM32\CSIFA.EXE
Click to expand...

i was unable to do this in normal or safe mode. i got the same error message saying a programme or person is using it and that i should close those and try again.
i havent done anything else as i thought it would be best to wait for your instructions.
thanks

chaslang · Dec 2, 2006

Download a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.
Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

Delete on Reboot

then Click on the All Files button.

Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\CSIFA.EXE

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.
After reboot verify that the C:\WINDOWS\SYSTEM32\CSIFA.EXE file is gone by checking with Windows Explorer. Let mw know the result.

Now make sure you complete all the other steps in message # 10 and attach the requested logs

phattcat · Dec 2, 2006

Thankyou. The PocketKillbox has worked and C:\WINDOWS\SYSTEM32\CSIFA.EXE is no longer there.
Secondly the pc is working well and there is definitely no redirecting of webpages!
I attach the 3 logs you requested please tell me if anything shows up on them.
Thankyou

chaslang · Dec 3, 2006

All clean! However in message #10 I asked you to remove Java 2 Runtime Environment, SE v1.4.1_02 did you miss this? Or is it not showing in Add/Remove programs?

It it just does not show, then do the below.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Java 2 Runtime Environment, SE v1.4.1_02]
Click to expand...

Now if you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

phattcat · Dec 3, 2006

Thankyou so much for your help. i have completed those last things and the java thing is gone.
i was looking through the "how to protect yourself from malware" and it mentions windows updates. i haven't been able to get updates for ages and the microsoft site hasn't helped at all. I was wondering if this site is able to help with that if you can point me in the right direction.

thanks again for all your help!!!!!

chaslang · Dec 3, 2006

You're welcome.

phattcat said:

i was looking through the "how to protect yourself from malware" and it mentions windows updates. i haven't been able to get updates for ages and the microsoft site hasn't helped at all. I was wondering if this site is able to help with that if you can point me in the right direction.
Click to expand...

Have you tried it now after we cleaned up your malware? Is your copy of Windows licensed to you?

If you still have problems, post a message in the Software Forum and someone there should be able to give you some procedures to follow. But you will need to give them more info. Like exactly what happens when you try to go to Windows Update. How far do you get? What error messages do you get? etc.

Log in or Sign up

trojan problems. attached logs

phattcat Private E-2

Attached Files:

Activescan.txt

bdscan.txt

CounterSpy.txt.txt

phattcat Private E-2

Attached Files:

newfiles.txt

runkeys.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

phattcat Private E-2

Attached Files:

rapport.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

phattcat Private E-2

Attached Files:

hijackthis.log

phattcat Private E-2

Attached Files:

rapport.txt

runkeys.txt

newfiles.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

phattcat Private E-2

Attached Files:

report.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

phattcat Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

phattcat Private E-2

Attached Files:

hijackthis.log

runkeys.txt

newfiles.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

phattcat Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member