Avast WEBforum
Other => Viruses and worms => Topic started by: SUSZANNAH on April 27, 2007, 06:44:22 PM
-
hi all can anyone help with this malaware? Avast blocks it no problem, it only comes down when i use IE is there any setting in IE7 I need to alter? thanks for any info......susz
-
Hi Susz,
It's not malware in itself- it's a web site hosting an exploit- the recent .ani exploit, which then installs a Trojan:
http://www.castlecops.com/t186707-cawajanga_biz.html (http://www.castlecops.com/t186707-cawajanga_biz.html)
If IE is being diverted to that site willy-nilly, you need to scan for spyware which might be responsible with AVG Anti-Spyware, Spybot and Ad-Aware.
Also check the Hosts file for malicious entries.
If that fails, post a HijackThis! log for us.
-
Come on Susz you know the drill ;D number rank and serial number ;D
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
Have you done a google search for cawajanga.biz I did, and this is just one of the hits, http://www.castlecops.com/t186707-cawajanga_biz.html (http://www.castlecops.com/t186707-cawajanga_biz.html). DON'T click any of the links on that page, what it will do is give you an idea of other files to do a search for on your system.
This would appear to be one of attempted exploits for the ANI vulnerability that was patched in a recent windows security update, ensure you have your OS updated to close this exploit. It won't stop them trying but close the vulnerability.
Edit: I must improve my typing speed, I must improve my typing speed, I must improve my typing speed, I must improve my typing speed, I must improve my typing speed, I must improve my typing speed ;D
-
Thanks both for quick replies, this has gone on for about 2 weeks thought I had got it, I cleared 3 trojans to start with.
Just ran scans with Adaware and A-Squared found nothing apart from tracking cookies.
Looked in Warning Log all it says is:
SYSTEM 1240 sign of CVE-2007-0038 has been found in http://cawaj...... and that it.
Out of practice with this lol
-
Looks like some form of browser hijack or trojan downloader trying to access that site, I feel 'avg anti-spyware' is better than a-squared so I would suggest running that and then the HJT that Frank said.
Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) HJT has now been sold to Trend Micro inc. but the 1.99.1 version should still be available here or at one of the download sites. - HJT Information HiJackThis Tutorial 1 (http://www.bleepingcomputer.com/forums/tutorial42.html) or HiJackThis Tutorial 2 (http://www.tomcoyote.org/hjt/#introduction) or HiJackThis Tutorial 3 (http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm)
-
Hi again, scanned with AVG it found 'Highjacker.Agent.a' in temp internet files, removed ok.
But I clear these temp files everyday, so how does it keep coming back?
And should I uninstall A-Squared and just keep AVG antispy?
I have run a HJT log but can't remember how to get it to you??????
comment appreciated, thanks guys :)
-
Keep it as a secondary anti-trojan on-demand scanner it won't be using any resources unless you use it.
Copy and paste the contents into a post. If it is too large to do in one post, split it into two parts and make a second post.
-
Logfile of HijackThis v1.99.1
Scan saved at 8:45:08, on 27/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Cacheman\Cacheman.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://esampler.tns-global.com/esampler/writeaoltest.html?harvest,AOL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {dd9bc689-1df2-4d5a-b3e7-62ace31641f7} - C:\WINDOWS\system32\EXSMgr.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S7ED.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.7/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/KelloggCompany/Coupons.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6836D0D-4E7B-4AFE-AFD2-B53B5D144D7B}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: EXSMgr - C:\WINDOWS\SYSTEM32\EXSMgr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
Hope I did this right ???
-
I suspect worldwinner games is where I may have got this, I see it in the log, how do i get it out?
-
Hi Susz,
Could not that be "nylon pantyhose" games? ;D
This will patch the ANI- hole: http://support.microsoft.com/kb/935843
Wait for the evaluation of your HJT log. Like to get info on O20 - Winlogon Notify: EXSMgr - C:\WINDOWS\SYSTEM32\EXSMgr.dll and the other EXSMgr.dll. Maybe Essexboy know what this dll is.
Damian
-
Hello SUSZANNAH :D
These don't look very good:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {dd9bc689-1df2-4d5a-b3e7-62ace31641f7} - C:\WINDOWS\system32\EXSMgr.dll
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/KelloggCompany/Coup ons.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O20 - Winlogon Notify: EXSMgr - C:\WINDOWS\SYSTEM32\EXSMgr.dll
I'd suggest you also do a scan with this: http://www.mwti.net/products/mwav/mwav.asp
-
Hi there Damian, long time no see, you guessed it I messed up again..........
Thank you Spyros, will try that.
How do I get these entries out?
even more confused that I used to be lol
-
Hi Susz,
The two mentioned "BBHO"'s = bad browser helper objects can be taken from your comp using Toolbarcop, go here: http://windowsxp.mvps.org/toolbarcop.htm and download this small proggie.
The other way is load up HJT and tag exactly what Spyros mentioned in his posting, nothing more, nothing less, and then click enter, and that is that.
I would like to wait a bit for a second opinion, but the two 02 BHO's can be safely killed using Toolbarcop. If you know what to do, it is "easy peasy", my gal,
Damian
-
Thanks Damian, waiting here with bated breath......... ;D
-
Run HJT again and put a tick in the boxes to the left of the entries and click the Fix button.
Check that the files aren't in the locations mentioned this one mainly.
- C:\WINDOWS\SYSTEM32\EXSMgr.dll
If it is add it to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
Since it wasn't detected by anything it should be submitted to avast for analysis to improve detections.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
-
Thank you everyone for you help :)
Hi again David, do you want me to just remove the ones Spyros pointed out?
-
Hi Susz,
There is your second op. All flags down now, go hit that HJT "hogwart" tool button and finalize this cleansing routine. In the meantime I keep my fingers crossed for ye, all's well that ends well,
Damian
-
OK woohoo got 3 of them off.....but
2 are in the system32\EXSMgr.dll not sure how I get them from HJK to avast chest....
-
Hi Susz,
What is the one that stayed behind? What you got off with HJT or toolbarcop has gone to electronic nowhere land, this malware has "evaporated" - you cannot put that back to the chest or forward it to Avast. HJT has got rid of it, definitely period. What's gone is gone.
polonus
-
nooo lol didnt understand what David meant by the 2 in SYSTEM32\EXZMgr.dll so I didn't delete them........yet till I know what I am doing ;D
-
OK woohoo got 3 of them off.....but
2 are in the system32\EXSMgr.dll not sure how I get them from HJK to avast chest....
You don't. HJT tackles the registry entries that run the files, etc. once that is cleaned up, the files don't run, you then have to manually remove (delete) them. I'm proposing that you first add them to the avast chest so that they can be sent to the Alwil for analysis.
There were two entries in the HJT log for the 'system32\EXSMgr.dll' one file so there is only one to find.
1. First open the avast chest and click the User Files section and add the c:\windows\system32\EXSMgr.dll to the chest, see the Image that I posted it shows how to do it, File, Add.
2. There will be an explorer like pop-up navigate to the c:\windows\system32\EXSMgr.dll and click Open, this will add the file to the chest.
3. Right click on the file in the chest and select Email to Alwil Software.
4. Don't change any settings in the window, Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus.
5. Send.
Once you have sent the sample to avast, you now need to delete the copy in the system32 folder. Before you do that you will need to disable system restore and reboot, otherwise windows will save a copy as a restore point. At any time in the future if use system restore you could be reinfecting your system.
How to disable System Restore (http://www.pchell.com/virus/systemrestore.shtml).
Once you have deleted the file, you can enable system restore and reboot.
-
mmmmmm have opend the chest, gone to files it wont let me add, it's greyed out? what am i doing wrong?
-
You haven't opened the User Files section, click on the Icon.
-
right with you so far... system restore is off and sent mail to alwil.....and the last lap is??? lol
told you i was out of practice ;D
-
hjt wont remove the 2 files in SYSTEM32\EXMgr.dll, this is driving me nuts...... >:(
-
Susz,
The malware is active in memory and is protecting itself against removal. You need a program like FileAssassin to remove it on reboot before it can activate:
http://www.malwarebytes.org/fileassassin.php (http://www.malwarebytes.org/fileassassin.php)
Install the program and enter the file name as follows:
(http://donaldbroatch.users.btopenworld.com/fileassassin.png)
Note that I have selected the 'Use delete on Windows reboot functions.'
PS You also have a seriously out of date and vulnerable version of Java. Run this scanner to confirm this and any other possible vulnerabilities:
http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/)
It will give you links to download new versions. Don't forget you need to remove older versions of Java from Add/Remove. ;)
-
Hi FwF,
Why cannot I find any info on this particular dll. Has to be related to malware that comes in after the ANI-hole is exploited, I told SUSZ also that she has to download all the critical M$ patches onto her computer. But I cannot find technical info on EXSMgr.dll. Have you seen anything?
polonus
-
Firstly the file name is EXMgr.dll. Second the only hit I find is relater to a common mis-spelling of extmgr.dll (a legit windows file), which is often a common tactic. The fact that there is no google hits makes it even more suspicious, however, there is nothing to say this is an .ani exploit, that deduction came from where the hijacks were going cawajanga.biz.
The O20 - Winlogon Notify: EXSMgr - C:\WINDOWS\SYSTEM32\EXSMgr.dll entry is what I believe we all found suspicious, backed up by an almost total lack of information. We know it shouldn't be there but we can't say for sure what it does.
Perhaps Susz should check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
-
hjt wont remove the 2 files in SYSTEM32\EXMgr.dll, this is driving me nuts...... >:(
HJT may not be able to directly remove files, only the registry entries that is why I always say you should check after if the file is still in the location and if so you should manually remove them. It does have a means of deleting a file on reboot, on the bottom right of the window click the Config... button. Click the Misc Tools and there is a Delete file on reboot option. Click that button and you can select the file to delete on reboot.
There is also the tool Frank mentioned to remove files and others:
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html (http://www.snapfiles.com/get/moveonboot.html)
- Unlocker http://ccollomb.free.fr/unlocker/ (http://ccollomb.free.fr/unlocker/) is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
-
Thank you all so much, I have enough things to try here to keep me going for a while lol
Will get back with the results.........keep fingers crossed
-
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
The above is the result from Jotti.......after trying to remove it with File Assassin :'(
Virus Total says no bytes size file uploaded......now I am really confused ???
-
Did you try to upload it from the chest (a common reason for 0 byte file size) which is a protected area ?
Perhaps Susz should check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
-
ummm just typed it in....how do I get it out of the chest? got excited then thought it was just an empty file name lol
I have also run a Secunia check as Frank suggested, 15 insecure versions found, it will take me forever to update them all lol
according to Secunia I have 9 version of Macromedia Flash Player on here, easier to uninstall and start from scratch?
-
Right click on the file and select extract, choose a temporary location 'most certainly not back in the system32 folder.'
-
right run jotti and put it back in chest in user files.
Scan taken on 28 Apr 2007 14:08:45 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.ConHook.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.ConHook.AI
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found Packed/Upack
VBA32 Scanning, Found nothing
-
Hi Susz,
Read this article and follow the protocol: http://forums.spywareinfo.com/index.php?showtopic=23382
You have got yourself a glorious backdoor trojan. Have to later start in safe mode: instructions how to here: http://www.pchell.com/support/safemode.shtml And you have to run the smitfraud removal tool, see: http://www.2-spyware.com/remove-smitfraud.html
After this post a new HJT log.
polonus
-
OMG can it get any worse????????
-
is there an easier way of getting rid of this thing ???
-
right run jotti and put it back in chest in user files.
I would also suggest you first upload to VirusTotal as that has more (32) scanners.
Once you have done that you can 'delete' the file, when you export the file from the chest you will find a copy still remains (confirm) then delete the temp file. The point of a file remaining in the chest is you can scan it later and see if it is detected by avast.
is there an easier way of getting rid of this thing
There really are no shortcuts or easy way, if there was I'm sure polonus would have posted it.
-
Would I be imposing if I ask for a fresh HijackThis log and a description of the current symptoms?
-
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://esampler.tns-global.com/esampler/writeaoltest.html?harvest,AOL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {dd9bc689-1df2-4d5a-b3e7-62ace31641f7} - C:\WINDOWS\system32\EXSMgr.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S7ED.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\RunOnce: [ypagerps2] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps2.DLL"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.7/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6836D0D-4E7B-4AFE-AFD2-B53B5D144D7B}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: EXSMgr - EXSMgr.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
-
I had to update a lot of programs so I guess that is why log is longer
main problem is IE is going to different game adverts, don't see much else going on apart from that........ ???
-
Hi Susz,
That IE is going there is because of the malware you have. Let the boys help you to get rid of it.
polonus
-
Would you open HijackThis again and click to run a scan only. Then place a check mark next to these lines
O2 - BHO: (no name) - {dd9bc689-1df2-4d5a-b3e7-62ace31641f7} - C:\WINDOWS\system32\EXSMgr.dll (file missing)
016 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
O20 - Winlogon Notify: EXSMgr - EXSMgr.dll (file missing)
Now close all windows except HijackThis, including your browser, and click Fix Checked. Boot into safe mode and look for C:\WINDOWS\system32\EXSMgr.dll. If present rename the file exsmgr.old. Then boot back to normal mode and post another hjt log.
-
Didn't you fix this as we previously mentioned ?
O2 - BHO: (no name) - {dd9bc689-1df2-4d5a-b3e7-62ace31641f7} - C:\WINDOWS\system32\EXSMgr.dll (file missing)
O20 - Winlogon Notify: EXSMgr - EXSMgr.dll (file missing)
These related to the file you deleted and is the reason the (file missing) is annotated.
Do you understand what we mean by 'fix' in HJT, tick the box to the left of the entry and then click the Fix button. Or did you do that previously and they have come back (which would be strange as I would also have expected the file to come back also) ?
This one related to a Intel Graphic Accelerator module helper:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
Though for the life of me I can't understand why it would be associated with Winlogon Notify: so I'm suspicious. Do you have an Intel Graphics Accelerator (silly question I know, I fear I know your answer) ?
I would suggest you upload this file to VirusTotal for confirmation.
-
Didn't you fix this as we previously mentioned ?
O2 - BHO: (no name) - {dd9bc689-1df2-4d5a-b3e7-62ace31641f7} - C:\WINDOWS\system32\EXSMgr.dll (file missing)
O20 - Winlogon Notify: EXSMgr - EXSMgr.dll (file missing)
If you look back through the thread everyone expressed suspicions about these but no one explicitly stated what to do in HijackThis.
-
I beg to differ I did suggest they should be fixed
Run HJT again and put a tick in the boxes to the left of the entries and click the Fix button.
Check that the files aren't in the locations mentioned this one mainly.
- C:\WINDOWS\SYSTEM32\EXSMgr.dll
There might have be en no explicit fix and the exact entries but Susz fixed some of the others, the 016s but these didn't appear to have been fixed. That doesn't matter so much, my concern was if Susz had fixed them then they appear again, that was also my question.
If as Susz mentions there is still hijacking of IE going on yet there doesn't appear to be anything in the HJT log to indicate this, so perhaps we have a hidden element to this.
-
I beg to differ I did suggest they should be fixed
Well, almost no one ...
If as Susz mentions there is still hijacking of IE going on yet there doesn't appear to be anything in the HJT log to indicate this, so perhaps we have a hidden element to this.
Let's see what happens after that 016 I mentioned is fixed. I think the adware was related to this one
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/KelloggCompany/Coupons.cab
and currently is still related to this
016 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
I believe the latter is a variety of this
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FPOP%2EA
There may also be a downloader component to this.
-
Hi DavidR and Mauserme,
Apparently Susz has/had some hidden malware through a common exploit, she had no defense against, because she had not updated or fully patched her System and Programmes.
I gave links how she could easily start up in SafeMode, and asked her to perform a smitfraud detoxification, because this is the realm of malware that makes her IE go berserk. It has a strong foul smitfraud kind of malicious adware stench i.m.h.o. Like to see what you all come up with at the end of this cleansing routine. It is getting more and more interesting for us, not so much for Susz, but she is not alone in this battle against the malicious bytes.
polonus
-
Hey guys - what I posted at the top of this page was in SUSZANNAH's defense. It wasn't meant to be a statement against anyone.
Sorry if I've offended :)
EDIT:
2 SUSZANNAH - Did you ever have a program called EXS Manager installed? Its something to do with music file management.
-
Hi Mauserme,
Nobody said that, we all are only trying to help this victim. You are doing a great job, be assured of that. Maybe we all waited for the decisive comment about that EXSMgr.dll. Suspicious because there is absolutely no info on it online. It is a pity Susz cannot analyze what that dll's overflow buffer hole is:
polonus's Technical Details on another similar dll problem:
The buffer overflow bug exists in a part of USER32.DLL involved in handling ANI animated cursor files. A partial ANI file format is given below:
"RIFF" {(DWORD)Length_of_file}
"ACON"
"LIST" {(DWORD)Length_of_list}
"INFO"
"INAM" {(DWORD)Length_of_title} {szTitle}
"IART" {(DWORD)Length_of_author} {szAuthor}
"anih" {(DWORD)Length_of_AnimationHeader} {AnimationHeaderBlock}
Generally, the length of AnimationHeaderBlock shoule be 36 bytes (0x00000024). The vulnerability is in the handling of the Length_of_AnimationHeader field. This value will be passed as the length argument of memcpy(), in order to copy the contents of AnimationHeaderBlock, but the value is not checked appropriately. The buffer intended to hold the AnimationHeaderBlock is located on the stack, so we can overwrite the return address and exception handler on the stack and jump into the buffer containing our code.
This vulnerability is a separate vulnerability from the ones discovered by Xfocus.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
Anyway an ounce of protection is worth more than a kilo of cleansing afterwards, if you see what we are up against,
polonus
-
I may have misunderstood but I thought avast! was successfully preventing the malicious ani files from downloading.
... Avast blocks it no problem ...
Looked in Warning Log all it says is:
SYSTEM 1240 sign of CVE-2007-0038 has been found in http://cawaj...... and that it.
Possibly the situation has changed since those initial posts.
-
Hi Mauserme,
That is also a bit confusing to me. Avast should have protected Susz against the consequences of the ANI-hole, on the other hand she was vulnerable because she did not have a fully updated and patched system. She must have (had) some nasty adware/spyware infection that is re-directing the results of her IE browser. If she worked toolbar cop as I suggested, she is free of those in her hjt logs, but she has not told us what actions she actually has taken out, just asking a lot of questions. Yes, my friend Mauserne, the situation is a little confusing, this cleansing routine begins to look a little bit like goose ladders, if you grasp what I mean to say,
polonus
-
... this cleansing routine begins to look a little bit like goose ladders, if you grasp what I mean to say,
Someting to do with those "nylon pantyhose games"? I think I've missed some inide jokes ;D
-
thank you all for the help, have followed everything to the letter you advised me to do. run the scan in safe mode, after an hour and finding 42 infected files spyware doctor decided they wanted payment to remove them.
... but in safe mode could not access the net to buy the program....
so will have to start over again tomorrow....... :'(
-
Try the free version of SuperAntiSpyware instead
http://www.superantispyware.com/
This plus AVG AntiSpyware (mentioned earlier) will miss very little.
-
SpywareDoctor found a lot of "infected files" even on my clean system when I tested it, many of them strange false positives. :-X
Susz, have you tried a quick check for rootkits? The new scanners from AVG and Panda are very user friendly, as is the tried-and-trusted BlackLight.
http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5 (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5)
http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx (http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx)
http://www.f-secure.com/blacklight/ (http://www.f-secure.com/blacklight/)
What exactly are the symptoms now? Ads for games? Do these appear only in IE? Are you taken to a web address, if so, what is it? Is there a company name on the adverts, and if so, what is it?
-
Hi SUSZANNAH, I would definitely get rid of the EXSMgr.dll from all locations in HJT and remove the file from System32. If you wish I can do a winpfind analysis
This file is legitimate and OK igfxsrvc.dll as a winlogon
-
Thank you Frank and essex..... now for recap
Ran SUPERAntispyware it found
Adware Vundo variant 5 in registry and 1 in files
Adware tracking cookie 5
Trojan Downloader WinFLyer
says it has removed it, then I ran HJK again and it allowed me to remove BHO and and
EXSMgr.dll
Would like to thank everyone who helped in this mission, I just hope its clean now..... :)
But I would like to know why Avast is not picking up on these ???
-
To answer the other question Frank it was displaying full page ads for bingo sites and games every few minutes only though IE have all security patches in place........ :)
Have installed Firefox now still afraid to launh IE :(
-
Part of the reason Vundo was able to run is your old Java. You should update this at
http://www.java.com/en/download/manual.jsp
and then remove all versions older than 6.1 in Add/Remove Programs.
EDIT: You could double check your computer with VundoFix just to make sure:
Download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
A log will be produced which you can post in your next response.
-
Ran SUPERAntispyware it found
Adware Vundo variant 5 in registry and 1 in files
Adware tracking cookie 5
Trojan Downloader WinFLyer
<snip>
Would like to thank everyone who helped in this mission, I just hope its clean now..... :)
But I would like to know why Avast is not picking up on these ???
Now it is clean, you should look at proactive action as I mentioned earlier when you were up to your *** in alligators it is hard to pay attention to the trivial and check out the DropMyRights link in my signature and try to stop them getting established in your system folders and creating registry entries.
As to why avast didn't catch them, your own list answers that partially 'adware' and the trojan downloader, the actual file is inert (and as such may not be detected by an AV) it is the payload that it is trying to download. You recall that avast was blocking some URLs that is the web shield detecting the malware trying to be downloaded, so a partial detection.
What ever browser you choose (and I would suggest firefox) run it under dropmyrights so malware doesn't inherit administrator rights.
-
At least one version of Vundo has rootkit ability so a new hjt log, after VundoFix, would be worthwhile. It might reveal other problems (if any exist).
-
I have taken note of that David and it will be my next project........ ;D
mauserme, have run the vundo tool says no infected files...will do a new HJT and post.
Also I have updated java and all the things that Secunia software inspector picked up on apart from, and I cant find it in microsoft is security patch kb928090.
Secunia also tells me that macromedia flash player v 4x, 7x and 8x are out of date, but have done search on pc and can't find it, I have Adobe flash player 9 installed though
-
Logfile of HijackThis v1.99.1
Scan saved at 1:59:34, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
-
Flash used to be a Macromedia product. Search for a Flash folder in a Macromedia directory.
On my old computer there was an uninstaller in that folder. Run that if possible. Otherwise just try to delete the folder if Windows will allow you to.
-
Logfile of HijackThis v1.99.1
Scan saved at 1:59:34, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
sorry its in 2 parts it seems to have grown a bit............. ;D
-
I Also I have updated java ...
Make sure you uninstall all old versions - the update process will not automatically do this.
Here's a link to KB928090
http://www.microsoft.com/downloads/details.aspx?familyid=D9E4181A-05F9-4186-BDCA-C95351983844&displaylang=en
Odd, though. This is a patch for IE6 and your hjt log shows you have IE7.
And here's a link for the flash player download
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
-
if it is a IE6 patch do I need to install it? and will it do any harm?
-
if it is a IE6 patch do I need to install it? and will it do any harm?
I would do a manual Windows Update and see if Microsoft says you need it. Do a Custom update and check in the optional section as well as the critical section.
I will quite responing now so you can post the entier hjt log.
-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://esampler.tns-global.com/esampler/writeaoltest.html?harvest,AOL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: FoxyTunes Toolbar Helper - {784D8FBC-4165-4D88-90FB-62907ACDD045} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: FoxyTunes Toolbar - {1D1901C3-F72A-46f3-9DBB-0AAA0DEEF6DF} - C:\Program Files\FoxyTunes\ForInternetExplorer\components\IE\FoxyTunesForIE.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S7ED.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.7/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6836D0D-4E7B-4AFE-AFD2-B53B5D144D7B}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
think i did it right this time ;D
-
Well, you have still this line
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
So I assume you've chosen to keep it. It's related to some online games and would reinstall if you ever play them again. This would be a good time to open Internet Explorer and see if you have any problems with advertising. If you do you will have to make a choice on this one.
Did you have a chance to look for EXSMgr.dll? Anything found?
And you could fix these lines in hjt just to clear some unnecessary clutter
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Otherwise it looks good.
EDIT: You might as well uninstall Spyware Doctor unless you plan to buy it. But you already have two very good tools with AVG AntiSpyware and SuperAntispyware, though they won't run in real time past the trial period. And stop either AVG or SAS from loading at startup (its esier with SAS - look in the preferences section).
-
Have removed all the entries you mentioned in HKJ including the games one,
Using IE now seems to be ok so far, usually get the ads before now, may be winning at last.... :)
Went to windows site didnt telll me that I needed any critical updates, a lot of custom ones there but have no idea what most of them are for so didn't download anything..........
-
did a search for EXSMgr.dll, came back clear.... woohooo
-
Using IE now seems to be ok so far, usually get the ads before now, may be winning at last.... :)
8)
Since you removed that 016 take a look for c:\windows\downloaded program files\popcaploader.dll. You can delete it if its there.
I would go with Microsoft's opinion about the update and leave it alone.
One last suggestion. It would be good to make a clean system restore points and delete the old, possibly infected, points.
1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE
You now have a clean restore point, to get rid of the bad ones:
1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done
-
Looked for it, but doesn't seem to be there..... :)
restore point all sorted :)
Once again thanks for all the help much appreciated :)
Last lap now is to try to suss out is DropMyRights and I think I am good to go :)
-
It would be best to print out the information so you can take it slowly step by step. At first it can seem daunting, the the microsoft page (link in the dropmyrights page) provides some very good information and instruction with images.
Good luck.