PDA

View Full Version : Spybot won't start, can't delete spybotsd.exe, HijckThis won't run anymore too



freshwater
2009-09-12, 07:11
Hello,

(Tashi advised me to start a new topic)

I think that I have some malware, because my computer wouldn't let me start Spybot (it says that I don't have permission) or Ad-ware.
I can't provide you with HJT logs, either, because the computer won't let me run HijackThis anymore, either. I just installed it, but after a while the window disappeared. Now I can't start the application at all.

Thanks in advance.

Can anyone help?

Here's my ComboFix Log:

ComboFix 09-09-12.A0 - Nana 09/13/2009 11:00.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.1022.441 [GMT -5:00]
Running from: D:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\somgomiselfr.exe
.
---- Previous Run -------
.
c:\windows\keysetup.1700[1].exe
c:\windows\msa.exe
c:\windows\pp21cn.dll
c:\windows\run.log
c:\windows\sonce122730.dat
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\wiaserviv.log

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-12 23:41 . 2009-09-12 23:41 47616 ----a-w- C:\Win32kDiagonal.exe
2009-09-12 05:05 . 2009-09-12 05:05 -------- d-----w- c:\program files\Trend Micro
2009-09-12 04:54 . 2009-09-12 14:21 -------- d-----w- c:\program files\Spybot - Search & Destroytest
2009-09-12 04:40 . 2009-09-12 04:40 -------- d-----w- c:\program files\VS Revo Group
2009-09-12 04:12 . 2009-09-13 15:59 -------- d--h--w- c:\windows\PIF
2009-09-12 02:26 . 2009-09-12 02:26 -------- d-----w- c:\program files\CleanUp!
2009-09-12 02:13 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-12 02:11 . 2009-09-12 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-11 23:50 . 2009-09-12 04:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-11 17:21 . 2009-09-11 17:21 4825088 ----a-w- c:\program files\neob.exe
2009-09-10 05:13 . 2009-09-11 23:05 -------- d-----w- c:\program files\Spybot - Search & Destroy1
2009-09-09 01:47 . 2009-09-09 02:48 -------- d-----w- C:\NbN assistant editors
2009-09-05 00:57 . 2009-09-05 01:41 -------- d-----w- c:\documents and settings\EYJA winners trip Berlin
2009-08-16 18:10 . 2009-08-16 18:10 -------- d-----w- c:\program files\Freeware PDF Unlocker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 15:52 . 2006-10-03 01:19 -------- d-----w- c:\documents and settings\Nana\Application Data\Skype
2009-09-13 13:09 . 2008-02-28 03:09 -------- d-----w- c:\documents and settings\Nana\Application Data\skypePM
2009-09-12 14:40 . 2009-05-02 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-12 14:21 . 2006-11-08 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-11 23:17 . 2009-05-03 03:25 5632 --sha-w- c:\program files\Thumbs.db
2009-09-11 23:07 . 2006-11-08 07:23 -------- d-----w- c:\program files\spybot
2009-09-10 19:18 . 2006-09-27 00:19 -------- d-----w- c:\program files\Google
2009-09-10 03:13 . 2009-09-10 03:13 991741 ----a-w- c:\windows\system32\xa.tmp
2009-09-05 00:53 . 2009-08-09 16:02 -------- d-----w- c:\documents and settings\Nana\Application Data\FileZilla
2009-08-28 14:42 . 2009-05-02 15:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 14:42 . 2009-05-02 15:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 14:42 . 2007-03-13 18:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 12:07 . 2009-08-09 16:06 -------- d-----w- c:\program files\FileZilla Server
2009-08-10 04:35 . 2009-08-10 04:33 39160414 ----a-w- c:\program files\ManageEngine_EventLogAnalyzer.exe
2009-08-09 16:02 . 2009-08-09 16:02 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-09 16:02 . 2009-08-09 16:02 2873754 ----a-w- c:\program files\FileZilla_Server-0_9_32.exe
2009-08-09 16:01 . 2009-08-09 16:01 4001773 ----a-w- c:\program files\FileZilla_3.2.6.1_win32-setup.exe
2009-08-06 18:30 . 2009-08-06 18:30 -------- d-----w- c:\program files\ffdshow
2009-08-06 18:26 . 2009-08-06 18:26 -------- d-----w- c:\program files\PlayFLV
2009-07-27 22:26 . 2009-07-27 22:14 -------- d-----w- c:\program files\Favorite-Games
2009-06-07 14:28 . 2009-06-07 14:28 3168382 ----a-w- c:\program files\SopCast_3.0.3_by_Myp2p.eu_official.zip
2009-06-07 14:22 . 2009-06-07 14:21 3006976 ----a-w- c:\program files\TvantsSetup.exe
2009-05-02 15:40 . 2009-05-02 15:39 64470784 ----a-w- c:\program files\avg_free_stf_en_85_325a1500.exe
2009-03-30 18:12 . 2009-03-30 18:11 13440584 ----a-w- c:\program files\Install_AIM.exe
2009-03-21 18:13 . 2009-03-21 18:13 267372 ----a-w- c:\program files\21032009(001).jpg
2009-03-21 14:10 . 2009-03-21 14:03 22285608 ----a-w- c:\program files\SkypeSetup.exe
2009-03-16 14:30 . 2009-03-16 14:30 1301304 ----a-w- c:\program files\WindowsXP-KB917021-v3-x86-ENU.exe
2007-11-26 02:18 . 2007-11-26 02:18 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2007-11-26 02:15 . 2007-11-26 02:15 25685128 ----a-w- c:\program files\wordview_en-us.exe
2006-12-28 11:03 . 2006-12-28 11:03 1914 ----a-w- c:\program files\NADYA.sv2i
2006-12-28 11:03 . 2006-12-28 11:03 5636096 ----a-w- c:\program files\D_Drive001.v2i
2007-10-09 21:50 . 2006-10-04 18:26 168 --sh--r- c:\windows\system32\8B206616FF.sys
2007-10-09 21:50 . 2006-10-04 18:26 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Nana\OctoshapeClient.exe" [2006-02-13 214648]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-03 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 528384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Skype Recorder"="c:\program files\Skype Recorder\Skype Recorder.exe" [2010-12-04 748544]
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2009-06-21 1226240]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\Nana\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-28 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-26 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2008-10-8 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 14:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sopcast\\SopCast.exe"=
"c:\\Program Files\\TVants\\Tvants.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Octoshape Streaming Services\\Nana\\OctoshapeClient.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\ICQ6\\ICQ.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Documents and Settings\\Nana\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9741:TCP"= 9741:TCP:BitComet 9741 TCP
"9741:UDP"= 9741:UDP:BitComet 9741 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/11/2009 9:13 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:45 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:45 AM 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/11/2007 1:45 AM 124832]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:45 AM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/30/2009 1:13 PM 24652]
S2 AdobeActiveFileMonitor6.0Alerter;Adobe Active File Monitor V6 AdobeActiveFileMonitor6.0Alerter;c:\documents and settings\Nana\wpv401237130579.cpx run --> c:\documents and settings\Nana\wpv401237130579.cpx run [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 s716bus;Sony Ericsson Device 716 driver (WDM);c:\windows\system32\drivers\s716bus.sys [12/4/2008 9:11 PM 83208]
S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;c:\windows\system32\drivers\s716mdfl.sys [12/4/2008 9:13 PM 15112]
S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;c:\windows\system32\drivers\s716mdm.sys [12/4/2008 9:13 PM 108552]
S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s716mgmt.sys [12/4/2008 9:13 PM 100360]
S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);c:\windows\system32\drivers\s716nd5.sys [12/4/2008 9:14 PM 23176]
S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;c:\windows\system32\drivers\s716obex.sys [12/4/2008 9:13 PM 98568]
S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);c:\windows\system32\drivers\s716unic.sys [12/4/2008 9:14 PM 98952]
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{8DC78ABA-12EA-4701-ABD1-03B9EAD7A800}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoomail.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
DPF: {028C3B99-F9B0-4188-8C2C-D71CA84824D5} - hxxp://83.228.43.70:9999/program/SonySncCs1011View.cab
DPF: {6C0AE182-9095-4377-8DC9-CD586E31E486} - hxxp://80.253.55.165/c20viewer.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://www.rusenski.info/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Nana\Application Data\Mozilla\Firefox\Profiles\mo9hd92j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - www.yahoomail.com (http://www.yahoomail.com)
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\documents and settings\Nana\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Octoshape Streaming Services\Nana\octoprogram-L03-NMS0810164_SUA_000\npoctoshape.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
HKLM-Run-ppmate - c:\program files\PPMate\PPMate\ppmate.exe
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 11:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AdobeActiveFileMonitor6.0Alerter]
"ImagePath"="c:\documents and settings\Nana\wpv401237130579.cpx run"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2228)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\FileZilla Server\FileZilla server.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Common Files\Protexis\License Service\PSIService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-09-13 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 16:36

Pre-Run: 54,962,405,376 bytes free
Post-Run: 54,850,732,032 bytes free

256 --- E O F --- 2007-09-25 11:22
===========================

Edit: FYI ;)

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :) Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)

NOTE: ComboFix is not a general purpose cleaning tool!
It should only be run under the supervision of someone who has been trained and continues their education in its use. The Waiting Room (http://forums.spybot.info/forumdisplay.php?f=37)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/showthread.php?t=1137)

ken545
2009-09-16, 00:39
Hello freshwater

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

c:\program files\neob.exe <--Delete this file



Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean






Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please





Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Post the reports for

1. exehelper
2. Malwarebytes
3. RSIT

ken545
2009-09-24, 04:13
Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.