Adware.Agent.BN

[_Assassin_]

4 post

[_Assassin_]

and the last 5 post

[_Assassin_]

Hi CrazyMonkey!

I followed the steps you made to shash25 and this what I got.
I have the Adware.Agent.BN too as a problem and here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34:36, on 5.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: RDL Rolex - {B8C5A2C9-639D-4A41-991C-005412790C99} - C:\WINDOWS\dkxrstqgxt.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: enlfxgw - {5CE71183-A2DF-4834-9D2F-8BA58000126A} - C:\WINDOWS\enlfxgw.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RegistrySmart] C:\Program Files\RegistrySmart\RegistrySmart.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] OSK.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] OSK.exe (User 'Default user')
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?3a7bc0c6d8184c8d85eb3791f698fc32
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?3a7bc0c6d8184c8d85eb3791f698fc32
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: btrklfr - {B95F3B63-909F-434D-8C07-6815663ADEED} - C:\WINDOWS\btrklfr.dll
O21 - SSODL: apdqnxp - {5015925D-5E8F-47F0-9819-9EC597C841BC} - C:\WINDOWS\apdqnxp.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Documents and Settings\Annica\Omat tiedostot\CASIO\Inputs\Jarin kansio\Ohjelmat\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Documents and Settings\Annica\Omat tiedostot\CASIO\Inputs\Jarin kansio\Ohjelmat\bin\ibserver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 8276 bytes

Hope you find something because I want to get rid of it and fast(it's killing me with the Internet Explorer popups) If you find something please tell me what to do!(I don't know much about malwares
and spywares so please say it so that I understand)

Best Regards

_Assassin_

BTW I'm from Finland so don't wonder if my English sucks!

[swords]

I don't know where the Thank User button is, but THANK YOU VERY MUCH!!! I really appreciate your help to get rid of the Adware. My computer is almost back to normal.

I have a couple remaining issues that I hope you can help me with.
1) I cannot view certain images anymore, nor my son on his daycare webcam. I tried to send you a sample website, but the forum won't let me because I haven't put in 5 posts yet.
For the images, I get a small white box with a red X in the top right corner of where the image should be.
For the webcam, there's a yellow triangle with an exclamation point in the bottom left corner of my screen that shows up and says Done or Error. I know the websites are ok because I can see them from another computer.
2) This is minor, but I cannot left click on a field that requires my login ID or password and have the data show up automatically anymore.

Thanks so much for your help.

[sash25]

Hi together!

as sword's, also i don't know, where the Thank User button is! So it's a very good work you did!

best wishes for all adware infected user

greetz

sash

[CrazyMonkey]

hi crazymonkey
I hope you find nothingelse!!

By the way, today i have bought a new pc from aldi!

so here you and best greetz!

sash

Your log file appears clean. Congratz =]
Swords, no problem. As for your current image problem i guess this problem is in an browser? If so which one, try re-installing that browser. Have you tried it in a different browser if so what happens? Post in some other sections to enable you to post links to any screenshots etc. Thanks.

As for Assassin i will post now.

[CrazyMonkey]

These are removal instructions for Assassin.

As a beggining note, i am not responsible for any problems that may occur whilst using these removal steps i provide. However i am a member of Alliance of Security Analysis Professionals, and try my upmost best to limit any side effects that can occur.

This log shows you are quite heavily infected with multiple adware & malware variants. This removal could be quite extensive, have you ran Smitfraud and Combofix? If you have you can skip the Smitfraud and Combofix steps. It's advised to run these two programs in safemode.


----------------------------------------------------------------------------------------------------
SmitFraud - Skip if already ran in safemode
----------------------------------------------------------------------------------------------------
Download SMITFRAUDFIX (Save it to a known location)-
SmitFraudFIX

Boot into Safe Mode *Safe Mode required to kill processes/start up's/conflicts* -
Windows XP

* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

To use the System Configuration Utility method

* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.


Once in safemode doubleclick on SMITFRAUDFIX.exe.
Once the BlueBox shows, select 1 (To search)
Once finished searching you run option 2 (Clean) *May require a restart of application/system*
During cleaning if prompted to clean registry select Y (Yes)

Once this is finished Reboot You Computer or When you are finished with troubleshooting in Safe mode (MSCONFIG WAY), open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer.

----------------------------------------------------------------------------------------------------
Combofix - Skip if already ran in safemode
----------------------------------------------------------------------------------------------------
**Once in safe mode**

Combofix fixes many malware problems and tampered task manager entries.

- Download Combo Fix to your computer (ie desktop)
- Close all open Windows including this one.
- Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix (Can re-enable these programs after cleaning).
- Finally run combofix.exe and click "Run" on any security warnings that may pop-up.
- Follow the onscreen prompts to complete the combofix process.

A logfile should be saved to a location made known to you on screen whilst running combofix please make a note of this location. After completion of combofix reboot your computer (if you havent already done so) , please copy the contents of the combofix logfile here.

----------------------------------------------------------------------------------------------------

- Re-Run Hijackthis.
- Click "Do a system scan only" Once the results of the scan are done, please tick/select these entries for removal:

*
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: RDL Rolex - {B8C5A2C9-639D-4A41-991C-005412790C99} - C:\WINDOWS\dkxrstqgxt.dll
O3 - Toolbar: enlfxgw - {5CE71183-A2DF-4834-9D2F-8BA58000126A} - C:\WINDOWS\enlfxgw.dll
O4 - HKUS\S-1-5-18\..\RunOnce: [] OSK.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] OSK.exe (User 'Default user')
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O21 - SSODL: btrklfr - {B95F3B63-909F-434D-8C07-6815663ADEED} - C:\WINDOWS\btrklfr.dll
O21 - SSODL: apdqnxp - {5015925D-5E8F-47F0-9819-9EC597C841BC} - C:\WINDOWS\apdqnxp.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
*
Make sure only the above entries are ticked/selected.

Finally along with the combofix log, post an updated Hijackthis log so i can check that it is hopefuly clean.

Good Luck...

[_Assassin_]

Hi again!

It's going to be a heck of a list but lets hope that you find something. If you wonder why I want you to find something I will tell you later in this post. And now for the raport it gave after the fix:

SmitFraudFix v2.266

Scan done at 22:31:51,07, pe 07.03.2008
Run from C:\Documents and Settings\Annica\Ty”p”yt„\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [versio 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\Annica\TYPYT~1\Error Cleaner.url Deleted
C:\DOCUME~1\Annica\TYPYT~1\Privacy Protector.url Deleted
C:\DOCUME~1\Annica\TYPYT~1\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Annica\Suosikit\Error Cleaner.url Deleted
C:\DOCUME~1\Annica\Suosikit\Privacy Protector.url Deleted
C:\DOCUME~1\Annica\Suosikit\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{35C7C5AC-739C-422A-B41E-15068F8FB14A}: DhcpNameServer=192.168.0.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{35C7C5AC-739C-422A-B41E-15068F8FB14A}: DhcpNameServer=192.168.0.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{35C7C5AC-739C-422A-B41E-15068F8FB14A}: DhcpNameServer=192.168.0.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.254


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

And now for the ComboFix(BTW i didn't reeboot between smitfraud and combo hope it wasn't necessary):

ComboFix 08-03-07.3 - Annica 2008-03-07 22:36:17.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1035.18.68 [GMT 2:00]Running from: C:\Documents and Settings\Annica\Työpöytä\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((( Muut poistot ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.exe
C:\WINDOWS\dkxrstqgxt.dll
C:\WINDOWS\enlfxgw.dll
C:\WINDOWS\rs.txt

.
((((( Tiedostot, jotka on luotu seuraavalla aikavälillä: 2008-02-07 to 2008-03-07 )))))))))))))))))
.

2008-03-05 21:29 . 2008-03-05 21:29 <KANSIO> d-------- C:\Program Files\Trend Micro
2008-03-03 10:13 . 2008-03-07 22:29 <KANSIO> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-03 10:12 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-03 10:12 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-03 10:12 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-03 10:12 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-03 10:11 . 2008-03-04 20:44 <KANSIO> d-------- C:\Program Files\Spyware Doctor
2008-03-03 10:11 . 2008-03-03 10:11 <KANSIO> d-------- C:\Documents and Settings\Annica\Application Data\PC Tools
2008-03-03 01:00 . 2008-03-03 00:10 339,968 --a------ C:\WINDOWS\btrklfr.dll
2008-03-03 01:00 . 2008-03-03 00:10 200,704 --a------ C:\WINDOWS\apdqnxp.dll
2008-03-03 01:00 . 2008-03-03 00:10 81,920 --a------ C:\WINDOWS\fqspogw.exe
2008-02-13 16:50 . 2008-02-13 16:50 <KANSIO> d-------- C:\Program Files\Avira
2008-02-13 16:50 . 2008-02-13 16:50 <KANSIO> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-07 05:18 . 2008-02-07 05:18 <KANSIO> d-------- C:\Program Files\Lonely Cat Games
2008-02-07 05:18 . 1999-03-23 09:12 299,520 --a------ C:\WINDOWS\uninst.exe

.
(((((((((((((((((((((((((((((((((((( Find3M-raportti ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 17:45 --------- d-----w C:\Program Files\LimeWire
2008-02-21 15:45 --------- d-----w C:\Documents and Settings\Annica\Application Data\LimeWire
2008-02-21 15:38 --------- d-----w C:\Program Files\Paint Shop Pro 6
2008-02-17 18:52 --------- d-----w C:\Program Files\Winamp
2008-02-08 14:37 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-31 18:25 --------- d-----w C:\Documents and Settings\Annica\Application Data\Corel
2008-01-20 14:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 14:23 --------- d-----w C:\Program Files\Veoh Networks
2008-01-17 15:31 --------- d-----w C:\Program Files\MSN Messenger
2008-01-15 17:36 --------- d-----w C:\Documents and Settings\Annica\Application Data\U3
2008-01-14 18:18 --------- d-----w C:\Documents and Settings\Annica\Application Data\Virtual Notes cache
2008-01-12 17:20 --------- d-----w C:\Program Files\Muspub6
2008-01-12 17:11 --------- d-----w C:\Program Files\Warcraft II BNE
2008-01-12 12:02 10,632,370 ----a-w C:\WINDOWS\system32\drivers.zip
2008-01-12 11:58 198,268,466 ----a-w C:\WINDOWS\system32\aaaamon.zip
2008-01-10 17:57 --------- d-----w C:\Program Files\easetech
2008-01-10 17:17 --------- d-----w C:\Program Files\Filzip
2008-01-10 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-01-10 17:10 26,112 ----a-w C:\WINDOWS\system32\drivers\nchssvad.sys
2008-01-10 17:10 --------- d-----w C:\Documents and Settings\Annica\Application Data\NCH Swift Sound
2008-01-10 17:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
2007-12-16 13:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
.

------- Sigcheck -------

dbe97f84e57c22cad0e945931a2f1a13 C:\WINDOWS\system32\winlogon.exe
----a-w 502,784 2007-06-06 11:19:37 C:\WINDOWS\system32\winlogon.exe
.
(((((((((((((((((((((((((((((( Rekisterin käynnistyskohteet )))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Huom* Tyhjiä arvoja ja laillisia oletusarvoja ei näytetä

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-12-13 18:49 1185120 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 18:49 1185120]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:55 5674352]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-01-30 13:11 3497984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 17:41 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ServiceLayer"="C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 07:43 69632]
"SandIcon"="C:\ImageMate CompactFlash USB\SandIcon.Exe" [2000-11-13 11:36 131072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"RegistrySmart"="C:\Program Files\RegistrySmart\RegistrySmart.exe" [2007-10-16 22:45 4044016]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-13 16:57 249896]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="OSK.exe" [2006-10-04 15:33 216064 C:\WINDOWS\system32\osk.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"btrklfr"= {B95F3B63-909F-434D-8C07-6815663ADEED} - C:\WINDOWS\btrklfr.dll [2008-03-03 00:10 339968]
"apdqnxp"= {5015925D-5E8F-47F0-9819-9EC597C841BC} - C:\WINDOWS\apdqnxp.dll [2008-03-03 00:10 200704]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Intuwave\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Documents and Settings\\Annica\\Omat tiedostot\\CASIO\\Inputs\\Jarin kansio\\Ohjelmat\\BS2-20070828\\BurningSand2.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\JBuilder2007\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

S2 InterBaseGuardian;InterBase Guardian;C:\Documents and Settings\Annica\Omat tiedostot\CASIO\Inputs\Jarin kansio\Ohjelmat\bin\ibguard.exe [1999-09-06 09:56]
S3 InterBaseServer;InterBase Server;C:\Documents and Settings\Annica\Omat tiedostot\CASIO\Inputs\Jarin kansio\Ohjelmat\bin\ibserver.exe [1999-09-06 09:56]
S3 NtApm;NT Apm/Legacy Interface -ohjain;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-10-05 17:47]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2002-06-12 21:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9020d3b0-8bbb-11dc-99ca-0080c8f38b80}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
'Ajoitetut tehtävät'-kansion sisältö
"2007-12-26 18:59:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-05 16:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-03-07 19:55:16 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart.Annica.Runs RegistrySmart to optimize your registry.
"2008-03-07 20:24:51 C:\WINDOWS\Tasks\Tarkistetaan Windows Live -työkalurivin päivitykset.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2008-03-07 22:42:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-07 22:46:41
ComboFix-quarantined-files.txt 2008-03-07 20:46:35
.
2008-02-13 15:20:43 --- E O F ---

[_Assassin_]

And last the Hijackthislog(it didn't find the 024 - Desktop Component 0: Privacy Protection - file:///C:\Windows\privacy_danger\index.htm dunno why):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:56:38, on 7.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RegistrySmart] C:\Program Files\RegistrySmart\RegistrySmart.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Avaa uuteen etuvälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/230?3a7bc0c6d8184c8d85eb3791f698fc32
O8 - Extra context menu item: Avaa uuteen taustavälilehteen - res://C:\Program Files\Windows Live Toolbar\Components\fi-fi\msntabres.dll.mui/229?3a7bc0c6d8184c8d85eb3791f698fc32
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Oheistiedot - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: btrklfr - {7F7182AA-E854-4625-88F0-71642E225AED} - C:\WINDOWS\btrklfr.dll
O21 - SSODL: apdqnxp - {485F2187-A8AB-4FB8-B60C-E4F01391574F} - C:\WINDOWS\apdqnxp.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Documents and Settings\Annica\Omat tiedostot\CASIO\Inputs\Jarin kansio\Ohjelmat\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Documents and Settings\Annica\Omat tiedostot\CASIO\Inputs\Jarin kansio\Ohjelmat\bin\ibserver.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 7724 bytes

Hope you find something because the explorer.exe (probably the adware.agent.BN is using at least the S.D. says so (Spyware Doctor))is trying to get to the internet via internet explorer (i don't need internet explorer because i got firefox so i don't know what would happen if you just uninstalled the internet explorer)

it took 2 hours to get this post in here because the explorer.exe is using 100% of my CPU and it freaking slow to use anything wiht this computer so i hope you find something

Best Regards

_Assassin_

P.S. Could you tell me where the thank button is located because i can't find it anywhere so i could thank you when you are helpin' me out.Good Night!

[CrazyMonkey]

Explorer.exe is not Internet Explorer... Internet Explorer is IEXPLORER.EXE.

explorer.exe is the Windows Program Manager or Windows Explorer. It manages the Windows Graphical Shell including the Start menu, taskbar, desktop etc...


Ok first of all we will try VundoFix, hopefully this will clear the Vundo infection.

Code:

http://files3.majorgeeks.com/files/d600a2c0f0abaa265941e3c4c2510c26/spyware/VundoFix.exe

# Click the Download VundoFix link and save the file to your desktop.
# Locate the VundoFix.exe file on your desktop and double-click it to open VundoFix.
# Click Scan for Vundo. (Figure 1)
# VundoFix will begin scanning your computer. Any infections it finds will be listed in the white box above the Scan for Vundo button. (Figure 2)
# After VundoFix is finished scanning, it lists infected files. Click Remove Vundo.
# After VundoFix removes the infected files, it will prompt you to restart your computer. Click OK to restart your computer.

After the Reboot, run SDFix. Hopefully this will clean out any elements of Agent.BN.

Download SDFix and save it to your Desktop.
SDFix.exe

*Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

*Please then reboot your computer in Safe Mode. Safe Mode is vital.

*Open the extracted SDFix folder and double click RunThis.bat to start the script.
*Type Y to begin the cleanup process.
*It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
*Press any Key and it will restart the PC.
*When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

Now try running CWShredder, a variant of CoolWebSearch is visible.
Download CWShredder - Save it to your desktop.

Code:

http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

Open CWShredder.exe and simply click fix and follow onscreen prompts.

Finally Attempt to remove these files in Hijackthis (Like you have previously done) However they may not be there, could have changed filenames or simply have been removed by above applications.

Please remove these following entries in Hijackthis.

Code:

O21 - SSODL: btrklfr - {7F7182AA-E854-4625-88F0-71642E225AED} -C:\WINDOWS\btrklfr.dll
O21 - SSODL: apdqnxp - {485F2187-A8AB-4FB8-B60C-E4F01391574F} - C:\WINDOWS\apdqnxp.dll
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)

Post this Report.txt file along with a NEW Hijackthis log. Hopefully your CPU usage will allow you to complete these scans in minimal time =]

The Thank user button is below my post. However i think you need a certain post count to be able to thank users.

[_Assassin_]

vundo didn't find anything and when i put the computer in safe mode and started the combo end when it rebooted it didn't do anything after it and when i tried the hijackthis it said it had deleted the files but when i scanned it again it found them again so it couldn't delete them (tried many times)

Desperatewhat should i do?

If you don't have any suggestion then here is mine but don't read it if you have one.
I have a suggestion that i uninstall windows and install it again but could you tell what files are infected so that i know that i don't copy them to my other harddrive (USB-enabled) because i don't want infected files in the new windows

[CrazyMonkey]

vundo didn't find anything and when i put the computer in safe mode and started the combo end when it rebooted it didn't do anything after it and when i tried the hijackthis it said it had deleted the files but when i scanned it again it found them again so it couldn't delete them (tried many times)

Desperatewhat should i do?

If you don't have any suggestion then here is mine but don't read it if you have one.
I have a suggestion that i uninstall windows and install it again but could you tell what files are infected so that i know that i don't copy them to my other harddrive (USB-enabled) because i don't want infected files in the new windows

Hmm he seems persistent, often a format is the best/only option. I must format soon, windows is all sluggish

Just do not copy over any Windows Files, just your documents music videos etc. Try and leave program files out as well... That should be that, do not copy over any files if you do not know what they do.

[_Assassin_]

ok then thanx you tried your best i appreciate it i tell you when i have finished the new installation (it could take a few weeks but i try as soon as possible)

Best Regards

_Assassin_

BTW it was the explorer.exe (and it was the program that used 100% of my CPU even when i put the priority low and others to high)that tried to start the IEXPLORER.EXE at least thats what S.D. says.(and i know whats the difference wiht explorer.exe and IEXPLORER.EXE

[_Assassin_]

ok then actually i forgot to tell when my PC is workin and it has now been workin for a month without any probelms but i actually had to remove all the files twice because windows couldn't delete all the files at once(dunno why) but when i did it and installed the XP again it finally worked and thanx again i appreciate that u helped me

[Circadians]

Hello everyone !

Im going crazy now !!!

[Circadians]

2nd post