Results 1 to 10 of 10

Thread: Help- BHOs wont delete

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default Help- BHOs wont delete

    Hello all. Please i need serious and urgent help. Theres this BHO (browser helper object) that was installed on my pc by some sites and just wont delete. It keeps mutating and changing file name each time i reboot the pc.
    The file works by trying to redirect me to a site, syserrors.com.
    I am getting all sorts of Pop ups and irritating messages from these sites spytrooper.com, spyaxe.com and razespyware.com. In fact i believe these guys installed this thing on my pc to make me buy their software.
    I have used all sorts of antispyware to delete this file but it wont delete.
    Each time i try deleting, i keep getting the message,file is being used by another programme.
    Please how can i get rid of this thing, without formatting my pc. I cant even use my MSN messenger, because of this thing.
    Your help is highly needed. thanks

  2. #2
    Visiting Admin ChrisRLG's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    17

    Default

    http://forums.spybot.info/showthread.php?t=288

    Follow that - and post your HJT log as a reply to this topic.
    ASAP member since 2004 - MS MVP member since 2005
    Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default the log

    Quote Originally Posted by ChrisRLG
    http://forums.spybot.info/showthread.php?t=288

    Follow that - and post your HJT log as a reply to this topic.
    Logfile of HijackThis v1.99.1
    Scan saved at 12:35:08 PM, on 11/10/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\atievxx.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\mssearchnet.exe
    C:\WINDOWS\System32\nvctrl.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\a-squared\a2guard.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\PLANET\PLANET WL-U356A\WlanUtil.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\user\My Documents\software\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tfnetonline.com/webmail
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tfnetonline.com/webmail
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
    O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\System32\hp383E.tmp
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: PLANET WL-U356A Utility.lnk = C:\Program Files\PLANET\PLANET WL-U356A\WlanUtil.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1130149671264
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20BC6388-4236-47D4-A2B4-40066CFA6304}: NameServer = 196.207.15.42,80.88.128.23
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2AFA38C9-16E4-4F97-9666-E7B84D5E9632}: NameServer = 196.207.15.42
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9977D1A0-D9FD-4197-9A13-ABBE27482B40}: NameServer = 192.168.0.1,196.207.15.42
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FE205F7A-A29B-4870-BE0C-7CBB4E94266C}: NameServer = 192.168.0.1,196.207.15.43
    O17 - HKLM\System\CS1\Services\Tcpip\..\{20BC6388-4236-47D4-A2B4-40066CFA6304}: NameServer = 196.207.15.42,80.88.128.23
    O17 - HKLM\System\CS2\Services\Tcpip\..\{20BC6388-4236-47D4-A2B4-40066CFA6304}: NameServer = 196.207.15.42,80.88.128.23
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

  4. #4
    Visiting Admin ChrisRLG's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    17

    Default

    Download smitRem.exe©noahdfear and save the file to your desktop.
    Double click on the file to extract it to it's own folder on the desktop.

    Place a shortcut to Panda ActiveScan on your desktop.

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Ad-Aware SE Setup
    Don't run it yet!

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


    Open Ad-aware and do a full scan. Remove all it finds.


    Run Ewido:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido

    Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut.
    - Once you are on the Panda site click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
    Let us know if any problems persist.
    ASAP member since 2004 - MS MVP member since 2005
    Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

  5. #5
    Visiting Admin ChrisRLG's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    17

    Default

    Please note.

    You have no updates to windows, and that is why you have got infected.

    When clean if you do not update windows you will be reinfected within days.

    While infected please do not try to install from windows update SP2 or it will damage your system. If you can update to sp1a and security updates since then it will help.
    ASAP member since 2004 - MS MVP member since 2005
    Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

  6. #6
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default THANKS!!!!!!!!!!!!!!!. i will have to donate

    mitRem © log file
    version 2.7

    by noahdfear


    Microsoft Windows XP [Version 5.1.2600]
    The current date is: Mon 11/14/2005
    The current time is: 15:09:03.99

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~



    ~~~ Miscellaneous Files/folders ~~~




    ~~~ Wininet.dll ~~~

    CLEAN!

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 3:49:27 PM, 11/14/2005
    + Report-Checksum: 3CC2B342

    + Scan result:

    C:\Documents and Settings\user\My Documents\software\backups\backup-20051110-124101-792.dll -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\Documents and Settings\user\My Documents\software\backups\backup-20051110-125017-838.dll -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\Documents and Settings\user\Cookies\user@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\user\Cookies\user@www.burstbeacon[1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\user\Cookies\user@e-2dj6wjk4amcpsdo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\System Volume Information\_restore{CA2B22DD-4EDA-445A-9FED-9357CD142689}\RP49\A0042742.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\System Volume Information\_restore{CA2B22DD-4EDA-445A-9FED-9357CD142689}\RP66\A0047609.exe -> Trojan.Agent.il : Cleaned with backup
    C:\System Volume Information\_restore{CA2B22DD-4EDA-445A-9FED-9357CD142689}\RP67\A0047626.exe -> TrojanDownloader.Zlob.bb : Cleaned with backup
    C:\System Volume Information\_restore{CA2B22DD-4EDA-445A-9FED-9357CD142689}\RP67\A0047629.exe -> TrojanDropper.Small.ahh : Cleaned with backup


    ::Report End



    Incident Status Location
    Active scan log
    Adware:Adware/SecurityError No disinfected C:\System Volume Information\_restore{CA2B22DD-4EDA-445A-9FED-9357CD142689}\RP49\A0042743.tlb

    Quote Originally Posted by ChrisRLG
    Download smitRem.exe©noahdfear and save the file to your desktop.
    Double click on the file to extract it to it's own folder on the desktop.

    Place a shortcut to Panda ActiveScan on your desktop.

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Ad-Aware SE Setup
    Don't run it yet!

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


    Open Ad-aware and do a full scan. Remove all it finds.


    Run Ewido:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido

    Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut.
    - Once you are on the Panda site click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
    Let us know if any problems persist.

  7. #7
    Visiting Admin ChrisRLG's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    17

    Default

    You may be about to post it, but just in case, could I have another HJT log please.
    ASAP member since 2004 - MS MVP member since 2005
    Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •