virues infection win32 Trojan1165(trj)

[honeyk]

Hi, I'm a very new user to my computer and He internet also.Actually Ive only been connected for the last 3mths. I have now managed to get my system infected, and with no success with all the anti virus programs. I found yours recognised the infections and i tried your  cleaner with success. If my computer isn't freezing its crashing. Or otherwise my internet explorer home page is opening in multiples and then freezes. Can someone help me please.

[FreewheelinFrank]

Hi honeyk,

Here are some free scanners you can try (starting with avast!, of course!)

Try a boot time scan with avast! Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.



Try a scan with DrWeb CureIT!



Try the usual free adware/spyware scanners.



AVG Anti-Spyware Free (Requires Win2k/XP)

Ad-Aware Free

Spybot Search & Destroy

SUPERAntiSpyware Free

a-Squared Free



Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.



Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.



Try some online scans. (Disable avast! while scanning.)



F-Secure

BitDefender

Panda

Trend Micro Housecall



If still having problems, post a HijackThis! log.

[DavidR]

Hi, I'm a very new user to my computer and He internet also.Actually Ive only been connected for the last 3mths. I have now managed to get my system infected, and with no success with all the anti virus programs. I found yours recognised the infections and i tried your  cleaner with success. If my computer isn't freezing its crashing. Or otherwise my internet explorer home page is opening in multiples and then freezes. Can someone help me please.

What is your firewall, that is an essential part of your system security ?

Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
It is fine trying other AVs to try and clean your system but it is important to only have one resident AV on your system at a time.

[polonus]

Hi honeyk,

Study this cleansing routine (use google translating tools to translate to english) for trojan 1165 removal:
http://www.sosordi.net/Depannage/129858-85-win-trojan-

polonus

[oldman]

Hi

How are you making out?

Post a hijackthis log and maybe we can help once we see what's going on.

Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[honeyk]

Hi Oldman, I've tried a no. of times with no success, to forward a reply to you with a attachment of the log you requested i send you. Can you please explain to me how to send this to you.Thanks Honeyk

[DavidR]

You post the contents of the log here in the topic, a new post, copy and paste the details from the log.

You may need to split it into two or more posts if it is a big log.

[honeyk]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:32 AM, on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\Windows Desktop Search\wds_sl.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://au.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.alot.com/sidebar?pr=asst&client_id=224DDAB001C8185A0044F726&install_time=27-10-2007:14:57&src_id=11003&tb_version=1.0.1.0&q=&url=http://au.yahoo.com (obfuscated)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.ex

[honeyk]

e /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NGServer] C:\Program Files\Symantec\Ghost\ngserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Anti Dog Beep Grid] C:\Documents and Settings\All Users\Application Data\Open Ante Anti Dog\online each.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [88441475] rundll32.exe "C:\WINDOWS\system32\uqqrgoyl.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKCU\..\Run: [Play Tool] C:\DOCUME~1\user\APPLIC~1\GREYCD~1\Atom Tray.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYAU
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/229?75916c03fbbc4eeb82ca20dbc53ebe48
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-au\msntabres.dll.mui/230?75916c03fbbc4eeb82ca20dbc53ebe48
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.westnet.com.au
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00A7359.dat
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gmubbuyy.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Ghost Database Service (ngdbserv) - Symantec Corporation - C:\Program Files\Symantec\Ghost\bin\dbserv.exe
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - (no file)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11280 bytes

[honeyk]

Thanks DavidR, Very appreciated.Honeyk

[DavidR]

First you don't appear to have an active firewall, what is your firewall ?

FIX: using HJT (re run a HJT scan, close other windows apart from HJT)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [88441475] rundll32.exe "C:\WINDOWS\system32\uqqrgoyl.dll",b
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYAU mywebsearch.com has some adverse comments. see http://www.siteadvisor.com/sites/mywebsearch.com.

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFW BInitialSetup1.0.0.15-3.cab funwebproducts and imgfarm.com also get some adverse comments see http://www.siteadvisor.com/sites/imgfarm.com

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gmubbuyy.exe (file missing)


Unknown: Do you know what they are and did you install it.
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [Anti Dog Beep Grid] C:\Documents and Settings\All Users\Application Data\Open Ante Anti Dog\online each.exe
O4 - HKCU\..\Run: [Play Tool] C:\DOCUME~1\user\APPLIC~1\GREYCD~1\Atom Tray.exe
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
Unknown
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab


Are you still using windows live messenger as this seems associated (but missing file) ?
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)

Do you still have Norton Ghost ?
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - (no file)

[honeyk]

Hi again DavidR, 

First you don't appear to have an active firewall, what is your firewall ?I was using CAinternet security 2007, which iwas advised to buy when i got my system.But since ive had all these dramas, and with everyone who i spoke to about my computer seem to think they know what their doing, one girl turned it off saying i didnt need it. Something to do with having service pack 2.

FIX: using HJT (re run a HJT scan, close other windows apart from HJT)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [88441475] rundll32.exe "C:\WINDOWS\system32\uqqrgoyl.dll",b
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm103YYAU mywebsearch.com has some adverse comments. see http://www.siteadvisor.com/sites/mywebsearch.com.

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversFW BInitialSetup1.0.0.15-3.cab funwebproducts and imgfarm.com also get some adverse comments see http://www.siteadvisor.com/sites/imgfarm.com

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gmubbuyy.exe (file missing)


Unknown: Do you know what they are and did you install it.
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-33D12D468BF0} - C:\Program Files\alot\bin\alot.dll
[u\..\Run: []O4 - HKLM\..\Run: [Anti Dog Beep Grid] C:\Documents and Settings\All Users\Application Data\Open Ante Anti Dog\online each.exe
O4 - HKCUPlay Tool] C:\DOCUME~1\user\APPLIC~1\GREYCD~1\Atom Tray.exe[/u](Dont know what this is or where it come from. The rest have come from pop ups since ive had these problems.
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
Unknown
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab


Are you still using windows live messenger as this seems associated (but missing file) ?(No i dont use windows live messengr,, but since having these problems, when i have had files come up with issues i have deleted them and hoped for the best.)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)

Do you still have Norton Ghost ?(Now, Norton Ghost or Symantec Ghost was a disk i loaded when i first got my PC. For a long time it came up everytme i tured on my PC, saying it could not load as something was missing. But i tried removing this program again, it no longer appears on start up.)
O23 - Service: Symantec Ghost Configuration Server (NGServer) - Symantec Corporation - (no file)

(Im not sure if I've given the answers you need to help me, but im still struggling to understand whats to be done to correct my PC. Can you tell me is this repairable at home or am i wasting your time and mine? Thaks again Honeyk

[oldman]

Hi  honeyk

but im still struggling to understand whats to be done to correct my PC. Can you tell me is this repairable at home or am i wasting your time and mine? Thaks again Honeyk

I'm suspecting vundo. This should be very fixable, just follow the steps one at a time and you will be fine. If you have questions, just ask.  We'll even get you fixed up with a real firewall. 

A couple of thing for you to do. We'll start with the funweb, then the SAS (superantispyware) scan. It should gobble up a lot of the vundo.

Okay let's start.

Click start, select control panel, double click on add/remove programs. Look for the following programs and if found please uninstall them

My Web Search Bar
My Web Search (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Web Search
My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way

Open windows explorer and navigate to the following folder

c:\program files

click the + beside program files and delete the following folder by right clicking on them and selecting delete

FunWebProducts
MyWebSearch

If the folders aren't there that's ok

Download  superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- Ignore files larger than 4MB
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantine.

 leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post/attach the log in your next reply if you wish.

To attach the log, use the additional options on the reply page.

note: this scan could take a while, to help speed it up, either boot into safe mode and run the scan there(avast won't be running in safe mode) or physicaly disconnect from the internet and pause avast's standard shield and any other scanners you have running. Don't forget to resume avast after the scan.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

You can also attach these logs instead of copy and pasting them.

If you have a shortcut to hijackthis on your desktop, please delete it.

Open windows explorer and set the folder options to these

At the top of windows explorer click tools, select folder options.  On the View tab make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files and hide known extentions are not checked.  Click OK.

Still in windows explorer, navigate to this folder

C:\Program Files\Trend Micro\HijackThis\

-click on the hijackthis folder, then find hijackthis.exe in the right hand panel
-right click that file and select rename
-rename the file hjhoneyk.exe by typing in the box
-click anywhere on the page and make sure the rename stayed.

Now make a new shortcut

right click hjhoneyk.exe, select send to, select desktop(create shortcut)

I know this sounds like a lot, but it isn't, just do things one step at a time. Remember to resume avast standard shield when the scan is done.  ;)

After you post the logs we can finish it off.

[honeyk]

Hi ya Oldman, Just had chance to see if you had left me any tasks. I've been on and off all day. As you can see I've also had some mostly grateful help from DavidR. I'ts just I am sorry to say i just cant understand his talk. Im not a computer freak, and this is mostly all new to me. As my son has just started school I've got some free time for myself. I've printed off what you sent, and will give it a go straight after tea. Let you know how i go!Thank you Honeyk

[oldman]

Hi, please note that I've added a wee bit. You may not have seen it, but no matter. Fly at it, the SAS scan may take a while, so go for a stroll, have a nap.

It's 10:40pm here, so I'll check in when i get up and see how you are doing.