Underseige(infested)

GingerBreadMan · Mar 20, 2005

Hey guys, I am in need of some help, my pc has been infested for around a week, and nothing I do seems to help. At one point everytime i re-logged and ran Ad-Aware I would delete 600 objects. I used the tutorial, which didnt seem to help, I still have either a trojan,virus, or both. Any help would be appreciated as I am seriously missing my gaming fun, not to mention I am tired of spending nearly 3 hours a day scanning my computer. Thanks in advance, Im gonna go pray to the virus gods now

chaslang · Mar 20, 2005

If you ran all steps in the sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal and you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

GingerBreadMan · Mar 20, 2005

Thanks for the help, heres my scan log, hope I did it right

chaslang · Mar 21, 2005

Wow! Looks like you have been collecting spyware! We have a lot to fix!

You must remember to ALWAYS exit all browsers before running HijackThis. You had these running:
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
Now first look in Add/Remove programs for any of the below and uninstall if found:
Vbouncer or Virtual Bouncer
Media Access
Ebates or Ebates_MoeMoneyMaker (or similar)
AutoUpdate

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process".
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
C:\Program Files\0ftmy376\0ftmy376.exe
C:\windows\system32\idzhsp.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\system32\iepngl32.exe
C:\windows\system32\calc.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\0ftmy376\0ftmy3761\0ftmy3761.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINDOWS\Pynix.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {0223380F-C650-4AF8-AE2B-77A0C5B52DCD} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {090506D3-2E16-449F-AA04-4730C2218D86} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {16A558D5-D1EE-4BE9-AE32-D0376F002D57} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {222603DB-5A4C-40BA-8FAF-92AEF69399F8} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {228A160A-3942-4005-973A-BFE080CB47D6} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\system32\trgen.dll
O2 - BHO: (no name) - {2EBC5811-66D3-49FA-851F-A9DD43F442BB} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {351468C4-C464-4E66-BE48-C48D324BA78F} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {401D0618-0501-4C03-B036-6FF5FE684D57} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {4480BC20-A928-4DCD-80E1-6400446D07E6} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {450405DE-F31A-46A5-8511-CC1B41F6E849} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {490C50C2-B0F8-48A6-8B64-4B851EA39E5A} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {4E6AB544-5529-4096-8898-089FEA66CB19} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {529ED6FF-98D4-4039-BF1D-C2DD0AD00D68} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {53D1458C-5049-4A4E-B33A-EE53E5900C60} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {56AD5669-DEC0-43E7-9B0C-1AC14141A818} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\system32\AUNBHO.dll
O2 - BHO: (no name) - {705F6BB5-4D7B-47F4-8BC0-9797989328DF} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {70C644E2-B41F-42E9-8654-81ED1E4D6E62} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {7BE23C32-45FA-41F0-AB96-73AFDA28C047} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {7D8FFC0A-EA89-467F-BA39-82AB2098832A} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {814FD8D3-98C5-45B6-8E36-9C1A20C641FE} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {8A3B69E3-E4E2-44B8-9746-29B9A90D9EE0} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {8A3E71CE-721B-4ACD-8AD8-390ECAC961DB} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {8A436B82-B8C4-4D93-93C5-A4A40F5E96BA} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {8CFA263E-54B9-46C1-813A-2034073C8570} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {8CFBBC49-51EA-4746-AC48-2DE72D24E42A} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {900128E5-E054-4345-9EFA-781ADAD20041} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {94CA7650-1EA7-49DB-97A2-01EA6D1F7938} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {98A007D7-242B-4A43-9AAA-E4DC9213D807} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg2.dll
O2 - BHO: (no name) - {9A972CAF-5300-45FD-9064-B7A8962D96FE} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {AC7798F4-AE35-4D4D-96B2-E820344E215F} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {AF9D9534-E550-43A9-BFE1-13B8041FCFB2} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {BA68A9F4-93EA-4C38-BD30-230961659187} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {C2FBB57F-BEA3-4492-AAC9-0BC4EAF10CEA} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {C9358C36-FFF3-45E1-A3E4-D72ACBA8BB6F} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {CAF1E9E9-57A6-455E-A6A4-7A1F79F8FF8F} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {CDFF680C-C033-413D-BBA2-F845EB6AB27C} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {DC263930-9658-4B53-B235-56D930B3E961} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {E2E2350F-655D-47FF-BE2B-4CC12D9D8571} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {E36EEEF7-89EE-4884-AC3E-82E42D92D2A8} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {E54423F7-45C3-4A00-A893-BF04476EC9B3} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {E6F42C09-9A08-4254-A1B2-EBC685CB636C} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F590A6FC-3BA7-434A-8CE7-8F5B166D762C} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {F654CEB8-2D18-432D-89AF-31AD4645E065} - C:\Program Files\0ftmy376\0ftmy376.dll
O2 - BHO: (no name) - {F97E2E2F-A537-4671-9A3B-E982B3A2019D} - C:\Program Files\0ftmy376\0ftmy376.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\Run: [0ftmy376] C:\Program Files\0ftmy376\0ftmy376.exe
O4 - HKLM\..\Run: [idzhsp] c:\windows\system32\idzhsp.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\system32\msmc.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [4ZF] C:\windows\system32\4ZF.exe
O4 - HKLM\..\Run: [EoNh.exe] c:\windows\system32\EoNh.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [37nO3sS] iepngl32.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKCU\..\Run: [Iw4ERie4h] igmcp50.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (HKCU)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (the whole folder means all files and subfolders too):
C:\Documents and Settings\All Users\Application Data\msw <--- the whole folder
C:\Program Files\Ebates_MoeMoneyMaker <--- the whole folder
C:\Program Files\0ftmy376 <--- the whole folder
C:\Program Files\Media Access <--- the whole folder
C:\Program Files\VBouncer <--- the whole folder
C:\Program Files\AutoUpdate <--- the whole folder
C:\WINDOWS\system32\wsxsvc <--- the whole folder
C:\windows\system32\idzhsp.exe
C:\WINDOWS\system32\iepngl32.exe <--- this looks like a possible HSA hijacker that may show up.
C:\windows\system32\calc.exe
C:\WINDOWS\Pynix.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\trgen.dll
C:\WINDOWS\system32\AUNBHO.dll
C:\WINDOWS\system32\rtneg2.dll
C:\WINDOWS\system32\ap9h4qmo.exe
C:\WINDOWS\system32\gah95on6.exe
C:\WINDOWS\system32\AUNPS2.DLL
C:\WINDOWS\system32\msmc.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\windows\system32\4ZF.exe
c:\windows\system32\EoNh.exe
C:\WINDOWS\system32\iepngl32.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\farmmext.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

GingerBreadMan · Mar 21, 2005

Thanks a ton chaslang, I really appreciate all the help your giving me. It appears to be better, but I'm obviously not an expert. Sorry about having the browsers open, I was fairly sure I had closed them but I guess I was wrong. Here is my new log, I tried to get all the files, but I may have missed some. Thanks again.

chaslang · Mar 21, 2005

Again I see C:\Program Files\Internet Explorer\iexplore.exe running. If you are positive you closed all browsers, let me know. Some malware problems can have IE running in the background.

Looks like you still have a bunch of issues. Make sure this time you keep track of what you find and do not find. Step by step. You must tell me the results or I have no idea what is going on.

Go to Add/Remove programs and uninstall if found (tell me what you find and if it uninstalled or not):
Ebates_MoeMoneyMaker
WeatherBug
Toolbar
mywebsearch or MyWay or MySearch or MySearchBar (or all any of them)

If you do not use AOL's Viewpoint Manager, uninstall it too (most people do not need this and never use it):
Viewpoint or Viewpoint Manager

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\imelog.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\WINDOWS\system32\htiating.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {9A972CAF-5300-45FD-9064-B7A8962D96FE} - C:\Program Files\0ftmy376\0ftmy376.dll (file missing)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [37nO3sS] imelog.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Iw4ERie4h] htiating.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb02994US_ZN
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\PROGRA~1\Toolbar <--- delete all files in this folder and the whole folder
C:\Program Files\Ebates_MoeMoneyMaker <--- delete all files in this folder and the whole folder
C:\Program Files\AWS <--- delete all files in this folder and the whole folder
C:\WINDOWS\system32\imelog.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\WINDOWS\system32\htiating.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Do not skip this next set of steps, I expect to see www.majorgeeks as your home page to know the procedure has worked.
Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

GingerBreadMan · Mar 21, 2005

Thanks for your patience, and for all your help. I couldnt find either WeatherBug nor Ebates in the add/remove list. And in the process manager I couldnt find
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe

I couldnt find any of the websearch files after doing a scan, or the toolbar files, or the weatherbug files.

As for the folders to delete in safe mode I couldnt find
C:\PROGRA~1\Toolbar <--- delete all files in this folder and the whole folder
C:\Program Files\Ebates_MoeMoneyMaker <--- delete all files in this folder and the whole folder
C:\Program Files\AWS <--- delete all files in this folder and the whole folder
C:\WINDOWS\system32\imelog.exe
C:\WINDOWS\system32\abasa5jrp.exe

Also, I am positive I didnt have any browsers open, so perhaps theyre being hidden or something? Anyways thanks once more, and here is my new log.

chaslang · Mar 21, 2005

Your log looks clean of all the bad stuff now. How is your PC running?

GingerBreadMan · Mar 23, 2005

Sorry for the delayed reply, had a terrible headache the last day and a half. My computer seems to be running better, but Ad-Aware and Spybot are still finding trojan programs, so it seems that most of the voruses/trojans are gone that there are still a few remaining. But once again, thanks a ton for all your help,without you I think I would have shot my computer in frustration.

chaslang · Mar 23, 2005

Post your Ad-Aware and Spybot logs! Are you sure they are finding trojans? Or is it just cookies and MRU's and maybe a few remnant registry entries?

GingerBreadMan · Mar 28, 2005

Sorry for the delayed reply Chaslang, i was away visiting relatives for a while. Anyways, yea I am pretty certain I am infested against.I just found 1300 critical objects after running Ad-aware. I am going to run the general scans, and then likely post the hi-jack this log here if that is ok?

chaslang · Mar 28, 2005

I would like to see what Ad-Aware and Spybot are finding. Post their logs. If they are very long, you may have to put them into a ZIP file to attach them. Please do not post them inline either way. Make them attachments.

Then we will see if a new HJT log is needed.

GingerBreadMan · Mar 28, 2005

Sounds good, here is my Ad-aware log, and I apologize if it isnt how you wanted it, as I wasnt to sure how to save it, I just copied it pasted it in Notepad. Spybot isnt finding anything, not sure if thats good or bad. Anyways I would like to thank you once again for the help.

Norvll · Mar 28, 2005

...This is completely off subject-- but are you the Gingerbread man I think you are? (if you are you'd recognize my handle...)

chaslang · Mar 28, 2005

Did you run Ad-Aware SE while in safe mode? If not, please do so. Also make sure your run the VX2 cleaner plugin while in safe mode.

Didn't you also say Spybot was detecting problems?

Also please do the following, download and update Microsoft® Windows AntiSpyware but do not scan yet. The boot into SAFE MODE and run a full scan with MS Antispyware.

After doing the above tell me what problems you still notices and post a new HJT log from normal boot mode.

GingerBreadMan · Mar 31, 2005

Sorry once again for the delayed response(seems like im saying that a lot lately). I was forced to have windows reinstall while it was loading, due to an inability to do anything while it was on, couldnt access the internet, or any programs, or even turn it off. So my pc is cleared, at least for the time being, I would like to thank you chaslang for all your help, your the greatest!!

And nope Norvil, Im not THE gingerbreadman..sorry

chaslang · Apr 1, 2005

You're welcome! And to help keep your clean install clean, make sure your perform all of the steps in the below link ASAP:

How to Protect yourself from malware!

Log in or Sign up

Underseige(infested)

GingerBreadMan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

GingerBreadMan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

GingerBreadMan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

GingerBreadMan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

GingerBreadMan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

GingerBreadMan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

GingerBreadMan Private E-2

Attached Files:

ad-aware file.zip

Norvll Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

GingerBreadMan Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member