# System Alert: Malware threats



## shisname (Oct 7, 2006)

I have the same problem
I get re-directed when i open IE (but not on firfox)
I also get a baloon constantly popping up

*System Alert: Malware threats*

your computer is infected with a back door trojan that allows the remote attacker to perform various malicious actions. Click this baloon to download malware removal software.

Before this I had a VirusBuster program keep poping up but i used RogueScanfix & smitRem to remove that program, in safe mode.

I will monitor this thread to try and rid myself of this PIA


----------



## Cookiegal (Aug 27, 2003)

Hi and welcome to TSG,

If you have taken anything out of startups via msconfig please go to *Start*  *Run*  type in *msconfig*  click OK and click on the Startup tab. Click on *Enable All* then *Apply* and OK. Then please do the following:

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## shisname (Oct 7, 2006)

Hi sorry for the vv-late reply, i took my pc to a computer store and just got it back today (6 days later) , unfortunatly i still have the problem. Here is my HijackThis logs....

I appolagise for posting my previous logs in the other persons thread too.... i was wondering what happened to my post.



> Logfile of HijackThis v1.99.1
> Scan saved at 6:31:38 PM, on 10/12/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.5700.0006)
> ...


btw i am not yzzoartiss i dont know who that is so i shall not follow the above instructions


----------



## shisname (Oct 7, 2006)

SmitFraudFix v2.109

Scan done at 1:26:14.19, Fri 10/13/2006
Run from C:\Documents and Settings\Russel\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Russel

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Russel\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Russel\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SoftCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## Cookiegal (Aug 27, 2003)

Sorry, I didn't realize that someone else had hijacked your thread. I've split their posts off into a separate thread.

I can't believe they gave you your computer back like this!

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*


----------



## shisname (Oct 7, 2006)

> SmitFraudFix v2.109
> 
> Scan done at 7:00:17.80, Fri 10/13/2006
> Run from C:\Documents and Settings\Russel\Desktop\SmitfraudFix
> ...





> Logfile of HijackThis v1.99.1
> Scan saved at 7:11:52 AM, on 10/13/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.5700.0006)
> ...


thats the 2 log, thanks for your help


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

Download *AVG Anti-Spyware* from *HERE* and save that file to your desktop.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.


Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button. The update will start and a progress bar will show the updates being installed.

Once the update has completed, select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*".
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight *Safe Mode* then hit enter.

*IMPORTANT:* Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:

Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
AVG will now begin the scanning process. Please be patient as this may take a little time.
*Once the scan is complete, do the following:*
If you have any infections you will be prompted. Then select "*Apply all actions.*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report

*Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.*


----------



## shisname (Oct 7, 2006)

The Panda Scan doesn't seem to be working ?



> # Enter your Country
> # Enter your State/Province
> # Enter your e-mail address and click send
> # Select either Home User or Company
> # Click the big Scan Now button


There was no *send* i filled in my country and e-mail then clicked the Scan Now button but nothing seems to be happening.

Here are my other scans



> ---------------------------------------------------------
> AVG Anti-Spyware - Scan Report
> ---------------------------------------------------------
> 
> ...





> Logfile of HijackThis v1.99.1
> Scan saved at 10:50:53 AM, on 10/13/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.5700.0006)
> ...


The initial problems seems to be fixed, fingers crossed 
Thank you for your continued help <3


----------



## Cookiegal (Aug 27, 2003)

Run Kaspersky online virus scan *here*.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan and post them along with a new HijackThi slog please.!


----------



## shisname (Oct 7, 2006)

KASPERSKY ONLINE SCANNER REPORT 
Saturday, October 14, 2006 3:21:37 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/10/2006
Kaspersky Anti-Virus database records: 231439

Scan Settings 
Scan using the following antivirus database extended 
Scan Archives true 
Scan Mail Bases true

Scan Target My Computer 
A:\
C:\
D:\
E:\
F:\

Scan Statistics 
Total number of scanned objects 80661 
Number of viruses found 10 
Number of infected objects 32 / 0 
Number of suspicious objects 3 
Duration of the scan process 03:37:09

Infected Object Name Virus Name Last Action 
C:\backup\Program Files\DelFin\PromulGate\patchme.exe/PgSDK.DLL Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d skipped

C:\backup\Program Files\DelFin\PromulGate\patchme.exe ViseMan: infected - 1 skipped

C:\backup\Program Files\DelFin\PromulGate\patchme.exe ViseMan: infected - 1 skipped

C:\backup\Program Files\DelFin\PromulGate\PgSDK.DLL Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d skipped

C:\backup\Program Files\DownloadWare\Downloads\90.dat/data0002 Infected: not-a-virus:AdWare.Win32.MediaPops.b skipped

C:\backup\Program Files\DownloadWare\Downloads\90.dat NSIS: infected - 1 skipped

C:\backup\Program Files\DownloadWare\Temp\me.exe/data0002 Infected: not-a-virus:AdWare.Win32.MediaPops.b skipped

C:\backup\Program Files\DownloadWare\Temp\me.exe NSIS: infected - 1 skipped

C:\backup\WINDOWS\SYSTEM\AustraliaLove-uninstall.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\SYSTEM\DateMakerAustralia-uninstall.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\SYSTEM\HotAction_au-uninstall.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\SYSTEM\HotSurprise_au-uninstall.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\SYSTEM\HotWetLove-uninstall.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\TEMP\Adware\DelFinMediaViewer29j.exe/PgSDK.DLL Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d skipped

C:\backup\WINDOWS\TEMP\Adware\DelFinMediaViewer29j.exe ViseMan: infected - 1 skipped

C:\backup\WINDOWS\TEMP\Adware\DelFinMediaViewer29j.exe ViseMan: infected - 1 skipped

C:\backup\WINDOWS\TEMP\nsiE0.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\TEMP\nsiE4.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\TEMP\nsiED.exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\Temporary Internet Files\Content.IE5\DCYPHL2O\hotparty_au[1].exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\Temporary Internet Files\Content.IE5\KDSHKPOV\hotwetlove[2].exe Infected: not-a-virusialer.Win32.gen skipped

C:\backup\WINDOWS\Temporary Internet Files\Content.IE5\Y531HDEP\hotparty_au[1].exe Infected: not-a-virusialer.Win32.gen skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-10-13_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Russel\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Russel\Desktop\Installers\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped

C:\Documents and Settings\Russel\Desktop\Installers\mirc617.exe mIRC: infected - 1 skipped

C:\Documents and Settings\Russel\Desktop\Virus Protectors\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Russel\Desktop\Virus Protectors\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Russel\Desktop\Virus Protectors\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Russel\Local Settings\Application Data\Identities\{21BA42DF-097F-46F3-AA6B-AD19C105FC05}\Microsoft\Outlook Express\Sent Items.dbx/[From "Russell wynn" ][Date Fri, 9 Apr 2004 15:57:12 +1000]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Documents and Settings\Russel\Local Settings\Application Data\Identities\{21BA42DF-097F-46F3-AA6B-AD19C105FC05}\Microsoft\Outlook Express\Sent Items.dbx/[From "Russell wynn" ][Date Fri, 9 Apr 2004 15:57:12 +1000]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped

C:\Documents and Settings\Russel\Local Settings\Application Data\Identities\{21BA42DF-097F-46F3-AA6B-AD19C105FC05}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: suspicious - 2 skipped

C:\Documents and Settings\Russel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Russel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Russel\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Russel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Russel\ntuser.dat Object is locked skipped

C:\Documents and Settings\Russel\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Internet Explorer\iexplorer.exe Infected: Trojan-Downloader.Win32.Crypter skipped

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped

C:\Program Files\Trend Micro\Internet Security 2006\Quarantine\3.tmp Infected: Backdoor.Win32.VB.agz skipped

C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F9.tmp\TvmBho.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.v skipped

C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F9.tmp\TvmCore.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.aj skipped

C:\Program Files\Yahoo!\YPSR\Quarantine\ppq511.tmp Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Prefetch\Layout.ini Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{854656FB-AD85-4B0E-AC9F-D0D96E9C9C01}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{BF83FE5F-9D4C-4DDB-8D2C-6E94C0AD2DBA}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



> Logfile of HijackThis v1.99.1
> Scan saved at 3:25:50 AM, on 10/14/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.5700.0006)
> ...


sorry about the smilies (  ) i didn't want to edit them just in case i done something wrong


----------



## Cookiegal (Aug 27, 2003)

Please follow these instructions exactly as shown in order to achieve the best results:

*1.* Please download *Brute Force Uninstaller* to your desktop.
Right click the BFU folder on your desktop, and choose *Extract All*
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C or whatever your primary drive is 
Click "Make New Folder"
Type in BFU
Click "Next", and *Un*check the "Show Extracted Files" box and then click "Finish".
*2.* *RIGHT-CLICK HERE* and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
*Save it in the same folder you made earlier (c:\BFU)*.

*3.* Restart your computer in *Safe Mode*

*4.* Open My Computer and navigate to the c:\BFU folder. 
 Start the Brute Force Uninstaller by doubleclicking *BFU.exe*
 Behind the *scriptline to execute* field click the folder icon







and select *EGDACCESS.bfu*
 Press *Execute* and let the program do its job. (You ought to see a progress bar if you did this correctly.)
 Wait for the *complete script execution* box to pop up and press OK.
 Press *exit* to terminate the BFU program.

*5.* Reboot back to normal mode and post: 
 The content of the file C:\egd.txt that was created by the script.
 The content of the folder bfubackups in your System(32) folder. This folder was also created by the script.
 A new HijackThis log


----------



## shisname (Oct 7, 2006)

I can not find a *C:\egd.txt*

The folder *bfubackups* is empty

I could not follow the *Extract All* instruction as my winrar doesn't have that option.
I did Create a Folder c:\BFU then extracted BFU into that folder as well as saving EGDACCESS Remover in the same folder.

I done the BFU.exe a second time in safe mode and save these logs


> BFU v1.00.9
> Windows XP SP2 (WinNT 5.01.2600 SP2)
> Script started at 10:46:39 AM, on 10/14/2006
> 
> ...





> Logfile of HijackThis v1.99.1
> Scan saved at 11:08:19 AM, on 10/14/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.5700.0006)
> ...


----------



## Cookiegal (Aug 27, 2003)

*Click Here* and download Killbox and save it to your desktop but dont run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

O2 - BHO: SA - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - ¦C:\WINDOWS\wiesasp2.dll (file missing)

O16 - DPF: {FB2961FD-DD24-4F8A-8A92-6F9325FF6F11} - http://www.supaseek.com/toolbar/toolbar.cab
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

* C:\backup\Program Files\DelFin

C:\backup\Program Files\DownloadWare\Downloads\90.dat

C:\backup\Program Files\DownloadWare\Temp\me.exe

C:\backup\Program Files\DownloadWare\Temp\me.exe

C:\backup\WINDOWS\SYSTEM\AustraliaLove-uninstall.exe

C:\backup\WINDOWS\SYSTEM\DateMakerAustralia-uninstall.exe Infected

C:\backup\WINDOWS\SYSTEM\HotAction_au-uninstall.exe

C:\backup\WINDOWS\SYSTEM\HotWetLove-uninstall.exe

C:\backup\WINDOWS\TEMP\Adware\DelFinMediaViewer29j.exe/PgSDK.DLL

C:\backup\WINDOWS\TEMP\Adware\DelFinMediaViewer29j.exe

C:\backup\WINDOWS\TEMP\Adware\DelFinMediaViewer29j.exe

C:\backup\WINDOWS\TEMP\nsiE0.exe

C:\backup\WINDOWS\TEMP\nsiE4.exe

C:\backup\WINDOWS\TEMP\nsiED.exe

C:\backup\WINDOWS\Temporary Internet Files\Content.IE5\DCYPHL2O

C:\backup\WINDOWS\Temporary Internet Files\Content.IE5\KDSHKPOV

C:\backup\WINDOWS\Temporary Internet Files\Content.IE5\Y531HDEP 
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log please.


----------



## shisname (Oct 7, 2006)

> Logfile of HijackThis v1.99.1
> Scan saved at 12:54:41 PM, on 10/14/2006
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v7.00 (7.00.5700.0006)
> ...


----------



## Cookiegal (Aug 27, 2003)

How are things running now?


----------



## shisname (Oct 7, 2006)

Everything seems fine, thank-you sooo much for your help <3


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

*Empty the recycle bin*.


----------

