Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Need help removing trojans/malware that seem to cause popups and scam mail
   
BullGuard Antivirus Forum > Virus Removal > Removal Help > Need help removing trojans/malware that seem to cause popups and scam mail  
Forum Quick Jump
 
New Topic Post reply to : Need help removing trojans/malware that seem to cause popups and scam mail Printable version of : Need help removing trojans/malware that seem to cause popups and scam mail
[ << Previous Thread | Next Thread >> ]

BlkhwkAJ
New Member


Date Joined Oct 2005
Total Posts : 11
  		   Posted 8-20-2007 4:19 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
Hi - here are the hijackthis.log and AVG logs.  No Rootlog.txt was created when I ran rootchk.
System user has issues with junkmail/scam mail as well as unwanted popups and crashing of Internet Explorer.
Previously, son was using the computer and may have inadvertently infested system.
Thanks for your help.
 
Hijackthis.log:
Logfile of HijackThis v1.99.1
Scan saved at 11:03:51 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Yapta\YaptaClient.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\FunStuff\My Documents\Cleanup\alternativ.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta Tagger - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe  /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Vga Hide Wave Mode] C:\Documents and Settings\All Users\Application Data\JUNKFREEVGAHIDE\Part Upload.exe
O4 - HKLM\..\Run: [Yapta Tracker] C:\Program Files\Yapta\YaptaClient.exe /onstartup
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\Gram For.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bold logo] C:\DOCUME~1\JOHN&C~1\APPLIC~1\BLUEWA~1\inside wma.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Yapta.com - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Tagger Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Tagger Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {C0E3D5C0-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {C0E3D5C1-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C0E3D5C2-14D7-11D7-9A69-00079534C39A} - http://www.comcastsupport.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {B8D6C709-4B16-4A74-9793-ADD1D9A0372E} (ACWinAX.AutoContract) - http://autorealty.net/cgi-bin/ACWinAX.CAB
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: buprestidae - {b59f3ba4-98da-4b5f-8a2d-7b56fb11140b} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
 
AVG log #1:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
 + Created at: 9:31:40 PM 8/19/2007
 + Scan result: 
 
C:\WINDOWS\SYSTEM32\bdedata2.dll -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\DelFin -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\DelFin\PromulGate -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DownloadWare -> Adware.Downloadware : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DownloadWare\Prefs -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DownloadWare -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\DownloadWare\Prefs -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DownloadWare -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\DownloadWare\Prefs -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\DownloadWare -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\DownloadWare\Prefs -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DownloadWare -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DownloadWare\Prefs -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\DownloadWare -> Adware.Downloadware : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\DownloadWare\Prefs -> Adware.Downloadware : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Updater -> Adware.KeenValue : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Updater -> Adware.KeenValue : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Updater -> Adware.KeenValue : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Updater -> Adware.KeenValue : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\Updater -> Adware.KeenValue : Cleaned with backup (quarantined).
C:\Program Files\DownloadWare\Downloads\51.dat -> Adware.MediaPops : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP315\A0075444.exe -> Adware.MediaPops : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_88.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall4_94.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\John & Carolyn\DoctorWeb\Quarantine\p2p networking.exe -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\P2P Networking v126.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\P2P Networking -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\P2P Networking\Cache -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\P2P Networking\Cache\Database -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\P2P Networking\MARSHAL.DLL -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\P2P Networking\P2P Networking.eng -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer.1 -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CLSID -> Adware.P2PNetworking : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CurVer -> Adware.P2PNetworking : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> Adware.PeerNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
HKU\S-1-5-21-1343024091-1383384898-2146838195-1004\Software\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\vrExt.dll -> Adware.VirusRescue : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\JUNKFREEVGAHIDE\Global Coal.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\Documents and Settings\John & Carolyn\Application Data\blue way\odymhzro.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP316\A0076124.exe -> Trojan.Obfuscated.en : Cleaned with backup (quarantined).

::Report end
 
AVG log #2:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
 + Created at: 10:52:03 PM 8/19/2007
 + Scan result: 
 
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076517.dll -> Adware.Altnet : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076520.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076521.exe -> Adware.NewDotNet : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076516.DLL -> Adware.P2PNet : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076518.exe -> Adware.P2PNet : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076519.cpl -> Adware.P2PNet : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076522.dll -> Adware.VirusRescue : Cleaned.
C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076514.exe -> Trojan.Obfuscated.en : Cleaned.
C:\System Volume Information\_restore{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP321\A0076515.exe -> Trojan.Obfuscated.en : Cleaned.

::Report end
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 8-20-2007 4:28 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
Hello smile
 
 
Please download free  Trial of Superantispyware
http://www.superantispyware.com/superantispywarefreevspro.html
 
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.
 
 
 
 
Start Superantispyware/rightclick on the black/yellow bug in tray.
Hit - Scan Your Computer - button
Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,
it will scan now. When scan have finished, put a checkmark with  all items it found. Next, after cleaning, allow it to Reboot
 
 
 
Start Superantispyware again –
Click Preferences and then click the statistics/logs tab.
Click the dated log and press view log and a text file will appear.
 
 
 
Post this log along with fresh hijackthis log, and tell how things are running  ?
 
 
 
 
 
 
 
 
 
 
 

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

Cstrikedish
New Member




Date Joined Jan 2007
Total Posts : 36
  		   Posted 8-20-2007 8:22 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
O4 - HKCU\..\Run: [bold logo] C:\DOCUME~1\JOHN&C~1\APPLIC~1\BLUEWA~1\inside wma.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer)
I think both of them should be fixed with your antispy program. They are very nasty for you. If you have not right tool to scan and remove adware. This free one is my favorite program. It is very easy and effective!
Good luck!

Go! go! go! Fire in the forum!
Find the best multimedia tools, mobile phone manager, flash swf file software and other great programs that I used in my blog

Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 8-20-2007 8:59 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
BlkhwkAJ - DO NOT follow Cstrikedish so-called advice as You have a large number of infections.
 
 
 
 
 


 

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

BlkhwkAJ
New Member


Date Joined Oct 2005
Total Posts : 11
  		   Posted 8-20-2007 12:29 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
Ran SuperAntiSpyWare - here is the log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/20/2007 at 07:14 AM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type       : Complete Scan
Total Scan Time : 00:38:48
Memory items scanned      : 403
Memory threats detected   : 0
Registry items scanned    : 5052
Registry threats detected : 35
File items scanned        : 31782
File threats detected     : 15
Adware.SmartPops
 HKLM\Software\Classes\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}
 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}
 HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}
 HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\Programmable
 HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\TypeLib
 HKCR\CLSID\{0421701D-CF13-4E70-ADF0-45A953E7CB8B}\VersionIndependentProgID
Unclassified.Unknown Origin
 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{b59f3ba4-98da-4b5f-8a2d-7b56fb11140b}
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#buprestidae
Adware.Tracking Cookie
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@indextools[2].txt
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@fastclick[1].txt
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@cpvfeed[2].txt
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@azoogleads[1].txt
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@hitbox[2].txt
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@login.tracking101[2].txt
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@adopt.euroclick[2].txt
 C:\Documents and Settings\John & Carolyn\Cookies\john_&_carolyn@ehg-pcsecurityshield.hitbox[2].txt
Adware.WhenU
 HKCR\WUSN.1
 HKCR\WUSN.1#WUSN_Id
Malware.SystemDoctor
 C:\Documents and Settings\John & Carolyn\Application Data\SystemDoctor 2006 Free\Logs\update.log
 C:\Documents and Settings\John & Carolyn\Application Data\SystemDoctor 2006 Free\Logs
 C:\Documents and Settings\John & Carolyn\Application Data\SystemDoctor 2006 Free
Trojan.Media-Codec
 C:\Program Files\VIDEO ACTIVEX OBJECT
Malware.VirusRescue
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\cNyu
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\gaqviCbewykcn
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\owqhwykSalpgK
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\ProgID
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\Qyzmy
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\Sdat
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\skodA
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\TypeLib
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\VersionIndependentProgID
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\vgriNk
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\wgOlrdPsceFT
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\wNwZPq
 HKCR\CLSID\{F80DB5A5-A885-7370-4983-841F62A80AF2}\ylnvUcaTfod
 HKCR\Interface\{679B00B5-0783-4DE4-A478-7227FDD50825}
 HKCR\Interface\{679B00B5-0783-4DE4-A478-7227FDD50825}\ProxyStubClsid
 HKCR\Interface\{679B00B5-0783-4DE4-A478-7227FDD50825}\ProxyStubClsid32
Malware.AntiVermins
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\apgscjtyrj
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\bakf
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\InprocServer32
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\Itnrquv
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\nwhqsga
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\qgpuqquo
 HKCR\CLSID\{663DE629-4FFD-A944-6F0A-64F98E925B62}\vtgt
Browser Hijacker.Favorites
 C:\DOCUMENTS AND SETTINGS\JOHN & CAROLYN\FAVORITES\ONLINE SECURITY TEST.URL
Adware.Lop-Gen
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP315\A0075435.EXE
 C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F2B5209-D412-46D3-96BE-2A0A9A3E8BA4}\RP316\A0076123.EXE
In addition, ran hijackthis again.  Here is the log:
Logfile of HijackThis v1.99.1
Scan saved at 7:27:02 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\FunStuff\My Documents\Cleanup\alternativ.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta Tagger - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe  /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Vga Hide Wave Mode] C:\Documents and Settings\All Users\Application Data\JUNKFREEVGAHIDE\Part Upload.exe
O4 - HKLM\..\Run: [Yapta Tracker] C:\Program Files\Yapta\YaptaClient.exe /onstartup
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\Gram For.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [bold logo] C:\DOCUME~1\JOHN&C~1\APPLIC~1\BLUEWA~1\inside wma.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Yapta.com - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Tagger Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Tagger Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {C0E3D5C0-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {C0E3D5C1-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C0E3D5C2-14D7-11D7-9A69-00079534C39A} - http://www.comcastsupport.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {B8D6C709-4B16-4A74-9793-ADD1D9A0372E} (ACWinAX.AutoContract) - http://autorealty.net/cgi-bin/ACWinAX.CAB
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
 
Current system condition: The system seems to boot up faster.  Still have popups.  Currently have many anti-virus/malware/trojan tools loaded into the task tray.  Will remove many of them once the system is clean as the system only has 736 MB of memory.
 
Thanks for your help.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 8-20-2007 1:06 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
Ok -
 
 
Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:
O4 - HKLM\..\Run: [Vga Hide Wave Mode] C:\Documents and Settings\All Users\Application Data\JUNKFREEVGAHIDE\Part Upload.exe
O4 - HKLM\..\Run: [Support audio cool poll] C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\Gram For.exe
O4 - HKCU\..\Run: [bold logo] C:\DOCUME~1\JOHN&C~1\APPLIC~1\BLUEWA~1\inside wma.exe
O9 - Extra button: Yapta.com - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) –
 
You may want to print this or save it to notepad as we will go to safe mode.

 
 
Re-start your PC in   Safe Mode
 
 
Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.
 
Delete-
 
 
Folders:
C:\Documents and Settings\All Users\Application Data\JUNKFREEVGAHIDE\Part Upload.exe
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO\Gram For.exe
C:\DOCUME~1\JOHN&C~1\APPLIC~1\BLUEWA~1\inside wma.exe
 
 
Reboot normally
 
 
Please download http://siri.urz.free.fr/Fix/SmitfraudFix.exe (by S!Ri)

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (normally C:), and launch from there.

 
Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.


Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, normally  C:\rapport.txt

Post a fresh hijackthis log  with rapport txt, and tell how your computer are behaving

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
process.exe is detected by some antivirus programs as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

BlkhwkAJ
New Member


Date Joined Oct 2005
Total Posts : 11
  		   Posted 8-21-2007 11:30 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
  1. Ran Hijackthis and did the "fix checked"'s listed
  2. Restarted in Safe Mode and deleted the bolded directories
  3. Downloaded and Ran, in Safe Mode, the  Smitfraudfix.exe. Unfortunately, this program did not request any response from me past the "Select option #2 - Clean by typing 2 and press "Enter" to delete infected files" and stopped at deleting temp files.  Below are the "rapport.txt" and "Hijackthis.log" files
Rapport.txt:
SmitFraudFix v2.213b
Scan done at 20:36:47.38, Mon 08/20/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1       localhost
127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
127.0.0.1 download.cdn.errorsafe.com ## added by CiD
127.0.0.1 download.cdn.winsoftware.com ## added by CiD
127.0.0.1 download.errorsafe.com ## added by CiD
127.0.0.1 download.systemdoctor.com ## added by CiD
127.0.0.1 download.winantispyware.com ## added by CiD
127.0.0.1 download.windrivecleaner.com ## added by CiD
127.0.0.1 download.winfixer.com ## added by CiD
127.0.0.1 drivecleaner.com ## added by CiD
127.0.0.1 dynamique.drivecleaner.com ## added by CiD
127.0.0.1 errorprotector.com ## added by CiD
127.0.0.1 errorsafe.com ## added by CiD
127.0.0.1 es.winantivirus.com ## added by CiD
127.0.0.1 fr.winantivirus.com ## added by CiD
127.0.0.1 fr.winfixer.com ## added by CiD
127.0.0.1 go.drivecleaner.com ## added by CiD
127.0.0.1 go.errorsafe.com ## added by CiD
127.0.0.1 go.winantispyware.com ## added by CiD
127.0.0.1 go.winantivirus.com ## added by CiD
127.0.0.1 hk.winantivirus.com ## added by CiD
127.0.0.1 instlog.errorsafe.com ## added by CiD
127.0.0.1 instlog.winantivirus.com ## added by CiD
127.0.0.1 instlog.winfixer.com ## added by CiD
127.0.0.1 jsp.drivecleaner.com ## added by CiD
127.0.0.1 kb.errorsafe.com ## added by CiD
127.0.0.1 kb.winantivirus.com ## added by CiD
127.0.0.1 nl.errorsafe.com ## added by CiD
127.0.0.1 se.errorsafe.com ## added by CiD
127.0.0.1 secure.drivecleaner.com ## added by CiD
127.0.0.1 secure.errorsafe.com ## added by CiD
127.0.0.1 secure.winantispam.com ## added by CiD
127.0.0.1 secure.winantispy.com ## added by CiD
127.0.0.1 secure.winantivirus.com ## added by CiD
127.0.0.1 support.winantivirus.com ## added by CiD
127.0.0.1 trial.updates.winsoftware.com ## added by CiD
127.0.0.1 ulog.winantivirus.com ## added by CiD
127.0.0.1 utils.errorsafe.com ## added by CiD
127.0.0.1 utils.winantivirus.com ## added by CiD
127.0.0.1 utils.winfixer.com ## added by CiD
127.0.0.1 winantispyware.com ## added by CiD
127.0.0.1 winantivirus.com ## added by CiD
127.0.0.1 winfixer.com ## added by CiD
127.0.0.1 winfixer2006.com ## added by CiD
127.0.0.1 winsoftware.com ## added by CiD
127.0.0.1 www.drivecleaner.com ## added by CiD
127.0.0.1 www.errorprotector.com ## added by CiD
127.0.0.1 www.errorsafe.com ## added by CiD
127.0.0.1 www.systemdoctor.com ## added by CiD
127.0.0.1 www.utils.winfixer.com ## added by CiD
127.0.0.1 www.win-anti-virus-pro.com ## added by CiD
127.0.0.1 www.win-virus-pro.com ## added by CiD
127.0.0.1 www.winantispam.com ## added by CiD
127.0.0.1 www.winantispy.com ## added by CiD
127.0.0.1 www.winantispyware.com ## added by CiD
127.0.0.1 www.winantivirus.com ## added by CiD
127.0.0.1 www.winantiviruspro.com ## added by CiD
127.0.0.1 www.windrivecleaner.com ## added by CiD
127.0.0.1 www.windrivesafe.com ## added by CiD
127.0.0.1 www.winfixer.com ## added by CiD
127.0.0.1 www.winfixer2006.com ## added by CiD
127.0.0.1 www.winsoftware.com ## added by CiD
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\migicons.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
Hijackthis.log:
Logfile of HijackThis v1.99.1
Scan saved at 6:28:45 AM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Yapta\YaptaClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\FunStuff\My Documents\Cleanup\alternativ.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yapta Tagger - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe  /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Yapta Tracker] C:\Program Files\Yapta\YaptaClient.exe /onstartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Yapta Tagger Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Tagger Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {C0E3D5C0-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {C0E3D5C1-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C0E3D5C2-14D7-11D7-9A69-00079534C39A} - http://www.comcastsupport.com (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {B8D6C709-4B16-4A74-9793-ADD1D9A0372E} (ACWinAX.AutoContract) - http://autorealty.net/cgi-bin/ACWinAX.CAB
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
Performance: 1) The popups that were even coming up with the bullguard.com/forum website have stopped :p 2) I've removed the other virus removal programs (except Norton) to judge speed and once the "welcome" screen is present, it boots a lot quicker, 3) The boot up process in the beginning, meaning when the Windows XP black background screen is up, slower - not significantly but definitely noticable.
Thanks for your help.
Back to Top
 

BlkhwkAJ
New Member


Date Joined Oct 2005
Total Posts : 11
  		   Posted 8-21-2007 11:41 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
P.S. to Touch: The system user no longer has "comcast" as an internet provider. Is it alright if the "O9"'
s related to comcast are deleted via hijackthis? Thanks.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 8-21-2007 11:50 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
It looks to Me Smitfraudfix have deleted the bad stuff.

Ok, just fix the 09 lines then:
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ComcastHSI - {C0E3D5C0-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {C0E3D5C1-14D7-11D7-9A69-00079534C39A} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C0E3D5C2-14D7-11D7-9A69-00079534C39A} - http://www.comcastsupport.com (file missing) (HKCU)


How are things running now ?

Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention. 
 

Back to Top
 

BlkhwkAJ
New Member


Date Joined Oct 2005
Total Posts : 11
  		   Posted 8-24-2007 1:48 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
The system is running great. I've left the system on since Tuesday's changes to see if the system would slow down just by being on. It didn't. Also, the system is fast in comparison to the speed that it operated at when I received it.

Thanks for the help.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 14350
  		   Posted 8-24-2007 2:02 (GMT +1)    Quote: Need help removing trojans/malware that seem to cause popups and scam mailAlert an admin about: Need help removing trojans/malware that seem to cause popups and scam mail
I was glad to help smile
 
 
Older versions of java have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application
 
Download the latest version of http://java.sun.com/javase/downloads/index.jsp

Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed.

Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version
 
To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
System Restore
 
 
Here are some additional software you may wish to consider using, to prevent malicious software installing in your PC  - >

IE-SPYADS  IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known ad/spy servers and domains to the "Restricted Zone" of Internet Explorer. (Choose between IE-SPYAD and IE-SPYAD2). Freeware