detimes2
asked on
spyware
Hello,
I have spyware on my computer that is causing problems with internet explorer. I can go to the homepage that is set as my opening page, but then when I type another URL I get a message that windows explorer must close. Windows defender found downloader.ay and says it fixes it but still same problem. Here is my hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:41:25 PM, on 5/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LxrJD3
C:\WINDOWS\system32\LxrJD3
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NTS\ENTERN~1\a
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntf
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\Program Files\MoodLogic\Service\Up
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\ATI Multimedia\main\ATIDtct.EX
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.e
C:\WINDOWS\system32\rundll
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
R0 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.e
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Up
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EX
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.e
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {231B1C6E-F934-42A2-92B6-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {9600F64D-755F-11D4-A47F-0
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-4
O17 - HKLM\System\CCS\Services\T
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomega
O23 - Service: Lexar JD30 (LxrJD30s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD3
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD3
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\a
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCt
thank you
I have spyware on my computer that is causing problems with internet explorer. I can go to the homepage that is set as my opening page, but then when I type another URL I get a message that windows explorer must close. Windows defender found downloader.ay and says it fixes it but still same problem. Here is my hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:41:25 PM, on 5/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LxrJD3
C:\WINDOWS\system32\LxrJD3
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NTS\ENTERN~1\a
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntf
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.e
C:\Program Files\MoodLogic\Service\Up
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\ATI Multimedia\main\ATIDtct.EX
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.e
C:\WINDOWS\system32\rundll
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
R0 - HKLM\Software\Microsoft\In
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCh
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.e
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Up
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EX
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.e
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9
O16 - DPF: {1239CC52-59EF-4DFA-8C61-9
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {231B1C6E-F934-42A2-92B6-C
O16 - DPF: {30528230-99f7-4bb4-88d8-f
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {9600F64D-755F-11D4-A47F-0
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-4
O17 - HKLM\System\CCS\Services\T
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IomegaAccess - Unknown owner - C:\WINDOWS\System32\iomega
O23 - Service: Lexar JD30 (LxrJD30s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD3
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD3
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\NTS\ENTERN~1\a
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCt
thank you
Greetings, detimes2 !
Here is a link to the analyzed log
http://hijackthis.de/logfiles/d8d6a5e6f7d1109b9c05ebd1d8fe2396.html
Do you use a Lexar device?
You have Wild Tanget. Uninstall it from Add/Remove Programs.
Check the box next to the following items and have HijackThis "Fix Checked".
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D
If you did not install the following items, have HJT remove them.
O17 - HKLM\System\CCS\Services\T
Best wishes!
Here is a link to the analyzed log
http://hijackthis.de/logfiles/d8d6a5e6f7d1109b9c05ebd1d8fe2396.html
Do you use a Lexar device?
You have Wild Tanget. Uninstall it from Add/Remove Programs.
Check the box next to the following items and have HijackThis "Fix Checked".
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D
If you did not install the following items, have HJT remove them.
O17 - HKLM\System\CCS\Services\T
Best wishes!
ASKER
yes I use a lexar jumpdrive. I had hijack this fix all items you listed and still the same problem. Is there a way to repair internet explorer or reinstall or what should I try next?
ASKER
Also I don't know if i installed O17 - HKLM\System\CCS\Services\T
how do i figure out what that is?
how do i figure out what that is?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes, it is my isp address. Each time that I reboot, and then start IE, I get a message stating that windows defender found the downloader.ay file? Can't find much googling that but defender says that it's a trojan. Any ideas on that? What are 3rd party extensions?
ASKER
seems like that is when it began when I defendar found that trojan
detimes2,
Is the only problem that Windows Defender is finding a trojan? Can defender delete it? It could be in system store files or it could be a false positive.
Disable and Enable System Restore, which will delete any trojan in those files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Is the only problem that Windows Defender is finding a trojan? Can defender delete it? It could be in system store files or it could be a false positive.
Disable and Enable System Restore, which will delete any trojan in those files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
ASKER
Defender does find the trojan and says that it is deleting it, requires a reboot, but it comes back
Does Defender show the path to the trojan? if so,use Killbox or Unlocker in Safe Mode to remove hard to remove file.
Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html
If you cannot delete the file, disable it. Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions. If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".
Killbox to remove stuborn files
http://www.scancomplete.com/download/killbox/
OR
Unlocker
http://www.majorgeeks.com/download4660.html
If you cannot delete the file, disable it. Right click on the file and select Properties > Security > Advanced. Uncheck "Inherent from parent" and remove other permissions. If you are using Windows XP Home, you need to access the Security tab from Safe Mode. If using Windows XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing".
O17 entry is probably your router. Or you are using dial up.
Start in safe mode and let HJT fix these entries if they still exist:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D
Check these locations and delete if they still exist. you can use killbox http://www.downloads.subratam.org/KillBox.zip if you can not delete them manually.
C:\WINDOWS\system32\runsrv
C:\WINDOWS\system32\susp.e
C:\program files\wildtangent
Install Ewido Security Suite www.ewido.net
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
Run a full system scan
Perform an online scan using Internet Explorer with Panda ActiveScan @ http://www.pandasoftware.com/products/activescan.htm
click on "Free use ActiveScan" located on the top right hand corner
Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
If it finds any malware, it will offer you a report.
Please ignore any entry it finds and wants you to buy the program.
Click on see report. Then click Save report.
Perform an online scan with bitdefender. www.bitdefender.com ( will delete the infections found )
Perform an online scan with Internet Explorer at Kaspersky Online Scanner @ http://www.kaspersky.com/service?chapter=161739400
Answer Yes, when prompted to install an ActiveX component.
The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
Will be time consuming but i am thinking you will be able to get rid of the infection after the scans.
Start in safe mode and let HJT fix these entries if they still exist:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D
Check these locations and delete if they still exist. you can use killbox http://www.downloads.subratam.org/KillBox.zip if you can not delete them manually.
C:\WINDOWS\system32\runsrv
C:\WINDOWS\system32\susp.e
C:\program files\wildtangent
Install Ewido Security Suite www.ewido.net
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
Run a full system scan
Perform an online scan using Internet Explorer with Panda ActiveScan @ http://www.pandasoftware.com/products/activescan.htm
click on "Free use ActiveScan" located on the top right hand corner
Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
If it finds any malware, it will offer you a report.
Please ignore any entry it finds and wants you to buy the program.
Click on see report. Then click Save report.
Perform an online scan with bitdefender. www.bitdefender.com ( will delete the infections found )
Perform an online scan with Internet Explorer at Kaspersky Online Scanner @ http://www.kaspersky.com/service?chapter=161739400
Answer Yes, when prompted to install an ActiveX component.
The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
Will be time consuming but i am thinking you will be able to get rid of the infection after the scans.
detimes2,
Delete this file or killbox it -->C:\WINDOWS\system32\sus
and run rougescanfix, it should get rid of your problem.
1. Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\susp.e
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.
2. Download roguescanfix_setup.
http://users.telenet.be/Beamerke/tools/roguescanfix_setup.exe
Doubleclick roguescanfix_setup to install it.
After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.
Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here. http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder.
The tool will uninstall some programs and delete related files and registry keys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.
Alternative link for rougescanfix:
http://www.martijnc.be/tools/roguescanfix.exe
Delete this file or killbox it -->C:\WINDOWS\system32\sus
and run rougescanfix, it should get rid of your problem.
1. Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\susp.e
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.
2. Download roguescanfix_setup.
http://users.telenet.be/Beamerke/tools/roguescanfix_setup.exe
Doubleclick roguescanfix_setup to install it.
After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.
Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here. http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder.
The tool will uninstall some programs and delete related files and registry keys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.
Alternative link for rougescanfix:
http://www.martijnc.be/tools/roguescanfix.exe
detimes2,
We have not heard from you in awhile. Did any comment help you solve your problem? Do you have any more question? If an Expert helped you, please accept his/her answer above with an excellent or good grade.
Thanks, war1
We have not heard from you in awhile. Did any comment help you solve your problem? Do you have any more question? If an Expert helped you, please accept his/her answer above with an excellent or good grade.
Thanks, war1
Download Spybot Search and Destroy from PepiMk. 3 Years, and it's still got the job done.
http://www.safer-networking.org/
http://www.safer-networking.org/
My dear friend download download spydoctor from ......http://www.pctools.com/spyware-doctor/ This is the best tool i noticed for removing spywares....
Also avoid going to seriall sites.....and adult sites............the only source for getting sppywares is these 2 possible ways to get infected...Spyware are terrrible to deal with .......and even though u die cleaning them you SLIGHTLY with a fraction of ur luck get ur PC work again rightly
Personaly i would recommend spybot,ewido,sumatric ..............but above all use spydoctor......
If still you cant get good again I would recommend to format the window partition and reinstall it again :(
Best of luck
kisses to u.........
Also avoid going to seriall sites.....and adult sites............the only source for getting sppywares is these 2 possible ways to get infected...Spyware are terrrible to deal with .......and even though u die cleaning them you SLIGHTLY with a fraction of ur luck get ur PC work again rightly
Personaly i would recommend spybot,ewido,sumatric ..............but above all use spydoctor......
If still you cant get good again I would recommend to format the window partition and reinstall it again :(
Best of luck
kisses to u.........
I like:
SpyBot Search and Destroy
Ad-Aware by Lavasoft
Ewido
Microsoft Antispyware/Windows Defender
SpyBot Search and Destroy
Ad-Aware by Lavasoft
Ewido
Microsoft Antispyware/Windows Defender
yes but i tried to download ewido and it will download as it crashes every time aout halfway through instalation....now what
ok thx
sorry for my ignorance but how do i creat or run a logfile please ...i have made it too the hijack site and got the box that says" you can paste a logfile in this textbox"....now what do i do is there a logfile tab or is it something else please?
sorry for my ignorance but how do i creat or run a logfile please ...i have made it too the hijack site and got the box that says" you can paste a logfile in this textbox"....now what do i do is there a logfile tab or is it something else please?
dk1999,
I'm sorry to hear about your problems, but you'd be better off if you'd ask your own question by following this link:
https://www.experts-exchange.com/Security/Win_Security/askQuestion.jsp (As you didn't mention your operating system the Windows Security topic might be the best location)
After you've posted your question there, I'm sure one or more experts will be able to help you quickly.
One advice I can give you directly is that you should try to run ewido in Windows Safe-mode instead of running Windows normally, this as certain pieces of virusses&ad/spyware will effectively block you from erasing them.
Best regards,
LucF
I'm sorry to hear about your problems, but you'd be better off if you'd ask your own question by following this link:
https://www.experts-exchange.com/Security/Win_Security/askQuestion.jsp (As you didn't mention your operating system the Windows Security topic might be the best location)
After you've posted your question there, I'm sure one or more experts will be able to help you quickly.
One advice I can give you directly is that you should try to run ewido in Windows Safe-mode instead of running Windows normally, this as certain pieces of virusses&ad/spyware will effectively block you from erasing them.
Best regards,
LucF
There's indeed some spyware on your computer, instead of posting your HJT logfile, you will be better of doing some automatic cleaning first.
Please download Ewido from http://www.ewido.net, update it and run a full system scan. Remove anything it finds.
(Run Ewido in safe-mode to be sure the pieces of spyware aren't running while scanning and cleaning)
Afterwards, please post a hijackthis log at http://www.hijackthis.de and only post a link to the analized log instead of posting your full log here.
Greetings,
LucF