AndyManchesta

Nice work Ian There's another trojan showing in the log but I guess its all part of the same infection, this one is hooking to userinit.exe to make sure its always running but with it not being in the running processes it may of already been removed from your system, regarding where its coming from I really do not know, it maybe dropped by an exploit script written into a malicious webpage but If you have all the updates from Windows installed and you dont have any older versions of Java still on the system then I doubt that would be the cause. Nice to see it went without a fight though, you can delete the LinkOptFix folder now as it contains a copy of the trojan file. Download the Gromozon remover from here http://www.prevx.com/gromozon.asp If you cannot download it for any reason let me know and I'll upload it into the thread, run the tool and follow the prompts, when its finished it will create a logfile in C:\ named Gromozon_removal.log, please post the contents of that file back on here. Click No if it prompts you to install Prevx as its only a trial version which isnt needed here. It maybe easier to copy and paste this to notepad and saving it as all browser windows need closing when fixing the entries Run Hijack This and choose Do A System Scan then place a check next to these entries R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\seagate-helper.exe", O2 - BHO: (no name) - {00000000-6C30-11D8-9363-000AE6309654} - (no file) O2 - BHO: (no name) - {21B5274C-4950-A739-CFDE-34197B9D4B81} - (no file) O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file) O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - Close all open browser and other windows except for Hijack This and press the Fix Checked button Can you set Windows to show hidden files and folders Click Start. Goto MyComputer then C:\drive Select the Tools menu from the top bar and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select "Show hidden files and folders". UnCheck the "Hide protected operating system files (recommended)" option. Click Yes to confirm then OK Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button the click Apply and OK. Check if this file still exists c:\windows\seagate-helper.exe If it does please have it scanned at VirusTotal as its clearly a trojan with it hooking to userinit.exe Visit VirusTotal and have this file scanned: c:\windows\seagate-helper.exe Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if the file doesnt exist after setting Windows to show hidden and system files Finally download AVG Anti-Spyware Load AVG and then click the Update tab at the top. Under Manual Update click Start update. After the update finishes (the status bar at the bottom will display "Update successful") Click on the Scanner tab at the top and then click on Complete System Scan AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back Please then post back the Gromozon remover log, VirusTotal results if the file exists, AVG log and a new HijackThis log Thanks Andy

Hi Ian There's the trojan, this is abit of a pain to manually remove as it does everything possible to protect itself, you cannot delete the file or reg entry as its removed all permissions to access them, if you reset the permissions on the reg key and delete it then the trojan will put it back instantly, if you remove the trojan file then explorer.exe will not be able to start because of the above reg entry and it targets alot of different tools. I put a small script together last time I tested this to remove it and fix the permissions which I will post below, I will also post some instructions for removing the reg key manually just incase its needed, please ask any questions you may have before proceeding Download LinkOptfix from Here and save it to your desktop Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later To run the fix , double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it finds the filename, creates a backups folder, moves the file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions on its reg entry, removes the reg entry then resets the permissions on its file and then restarts explorer.exe, you should then be able to run HijackThis and post a log and also run CCleaner, if you can then ignore the rest of this post and reply so we can then check for the gromozon part of the infection. If you have problems and explorer.exe doesnt restart then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor, Click the [+] next to HKEY_LOCAL_MACHINE Click the [+] next to SOFTWARE Click the [+] next to Microsoft Click the [+] next to Windows NT Click the [+] next to Current Version Click the [+] next to Image File Execution Options Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart You should not need the manual instructions as the fixtool should remove it fine but its best to be safe and provide an alternative just incase its needed, Let me know if you have any problems or questions Cheers Andy

Hi Ian Please can you start with this Goto Start Menu > Run > and copy and paste cmd /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt Press OK and it will export some information from your registry and save it to a text file named Result.txt which will save to C:\ and also open in Notepad, please post the contents of that file back on here I suspect you have a variant of the gromozon rootkit and a linkoptimizer trojan, we can deal with the gromozon part abit later if its present but its the linkoptimizer trojan that is likely causing the problems, it hooks to explorer using a reg entry and changes permissions on the reg value and file so even Admin users cannot remove it, if you type CCleaner in Start > Run or Browsers then explorer will crash, same for other tools like HijackThis, even moving the mouse over the icon will crash explorer without you clicking it so this trojan matches what you are describing, If anything removes the trojan file then you will not be able to restart explorer.exe (no desktop icons or start menu) but I will explain that in more detail after seeing the results from the above command, Cheers Andy

I'll post the HJT log shortly I actually did feel like I had a trojan earlier, my mouse started left clicking things by itself every so often and dragging things Id moused over, it was well annoying as it was highlighting text on websites if I moved up or down and clicking links without my having to left click, I went to a PC shop to get a new one and mentioned it while I was there and the guy said 'Oh Yeah you've got a sticky button' (guess thats a new 'technical' term), I sort of figured that much out myself but my new mouse is being better behaved

http://www.google.com/tisp/notfound.html

Hi Steve, Excuse the delay, Ive just got back from work so have abit of catching up to do Your best leaving the file is system32 for now until we can get some scanners run on your system to see what the infection is, you can get a list of the Image File Execution Options key if needed by going to start > run > then copy and paste cmd /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt Press OK and it will export the key details to a text file named Result.txt then open it with notepad (it also saves to C:\Drive), the only entry that should show a debugger value is this example entry I need to go back out for a while but I'll check on the HijackThis subforum for any updates when I get back and we can continue on there Cheers Andy

Hi scotiabahn Hazelnut asked me to check on this thread but Im not sure at the moment if the malware has caused damage to the registry which is causing multiple problems or if it will be possible to clean it up. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe] "Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\"" Now that's not nice its lucky in a sense that its not added a debugger value for an an essential file such as winlogon.exe as you then wouldnt of been able to login when you moved the wbjrwesa.txt file, This reg key sets up another program to run as a debugger when the initial file (explorer.exe) is run but Windows doesn't verify that its a legit debugger, it just starts the file in the debugger value and if the file is deleted then the file which has the debugger value will not run either, in this case where the debugger value is a txt file I would of expected it to show error's even if the file exists like explorer isnt a valid win32 application because its trying to load the txt file and if the txt file is removed then explorer.exe will not run and give a message similiar to Windows cannot find explorer.exe so there maybe other parts to this infection which are not showing up to now, the explorer.exe subkey isnt in the Image File Execution Options key by default so its fine to remove it but it does show that the machine has been infected, To remove the value goto Start > Run and copy and paste this reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /f Press OK and it will remove the key, you will not notice anything but the key will be removed, you can then attempt to move the txt file again and see if explorer loads on reboot, if it doesnt then there is something else protecting the reg entries or recreating it when its removed, it maybe easier to download process explorer from here to save having to keep rebooting http://download.sysinternals.com/Files/ProcessExplorer.zip Run the program and then run the above regfix, move the wbjrwesa.txt to your desktop then right click explorer.exe in process explorer and choose restart, if it starts ok then the debugger value wasnt recreated but if you get error's and explorer fails to restart then the debugger value is still present so you will have to either run the reg fix again by using task manager > new task or put the file back into system32 while we check for other trojans that maybe protecting it, R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://morwillsearch.com/?adv_id=amandaxxx&sub_id= Im sure you didnt set morwillsearch as your default search page as they have been associated with many trojans over the years mostly CWS and clicker variants but that could of been on your system for a long time so it maybe unrelated, its also in your IE trusted zone so that needs fixing, O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab This appears to be a pr0n dialer of some form which was probably installed without your consent but the domain xearl.com is linked to gromozon infections which are very difficult to clean due to rootkits being installed, that infection only seems to target Italian IP addresses but with it being present on your system you will have to run a couple of rootkit scans to make sure its clear, you can get more info on gromozon here http://www.prevx.com/gromozon.asp O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing) Another trojan entry, the file looks like its already been removed at some stage but its left the registry entry behind, I think its a variant of VIPSearcher but it maybe a Delf trojan http://research.sunbelt-software.com/threa...;threatid=40085 Please post the logs from these below steps into a new topic on the HijackThis forum Here as this looks more like malware damage rather than CCleaner failing, If you cannot extract HijackThis then download the Trend Micro .exe version from here http://www.trendsecure.com/portal/en-US/th...JackThis_v2.exe Run Hijack This and choose Do A System Scan then place a check next to these entries R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h*tp://morwillsearch.com/?adv_id=amandaxxx&sub_id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file) O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O15 - Trusted Zone: *.morwillsearch.com O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - ht*p://zone.msn.com/bingame/popcaploader_v10.cab O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing) Close all open browser and other windows except for Hijack This and press the Fix Checked button Optional Fix O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present This is a lock on your homepage to prevent it being changed, the buttons in Internet Options to change it will be grayed out on the homepage part, if you or a protection program added the homepage lock then it can be ignored but if not then it can be fixed with HijackThis Download the Gromozon remover from Here and run it just to make sure there isnt a infection present, Download win32delfkil.exe. Save it on your desktop. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil. Close all windows, open the win32delfkil folder and double click on fix.bat. The computer will reboot automatically. Post the contents of the logfile c:\windelf.txt into your new HijackThis topic Download Blacklight beta HERE and save it to your desktop. Run the program, accept statement > click next then scan When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file. Finally if your able to please do an online scan with Kaspersky WebScanner. Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases [*]Click OK [*]Now under select a target to scan: Select My Computer [*]This program will start and scan your system. [*]The scan will take a while so be patient and let it run. [*]Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: [*]Save the file to your desktop. [*]Copy and paste that information in your next post. Please then start a new topic in the HijackThis forum, post the windelf.txt, blacklight log if it finds hidden files and the Kaspersky log, Let us know if you have problems Regards Andy

Trend Micro has an excellent write on this Trojan here: http://www.trendmicro.com/vinfo/secadvisor...+Focused+Attack

Glad you got things resolved, Regarding the CA AV problem, there's a FAQ page here with common problems listed http://home3.ca.com/Support/techsupport/iss.aspx# if you cannot find the issue then consider contacting CA if the problem continues, depending on where your located you should be able to get help using their web support feature so that maybe easier US http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-US AU http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-AU UK http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-GB Euro http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-IE All the best Andy

Hi yr3750 Check the Add/Remove screen first (Start Menu > Control Panel > Add or Remove Programs) and remove the ZoneAlarm and CA products if possible, also check your systems date and time to make sure they are correct (Start Menu > Control Panel > Date and Time) If the date is correct and you cannot remove ZA then goto Start > Run > type services.msc Press OK then locate this in the service list TrueVector Internet Monitor if found double click it to open the properties screen (or right click and choose Properties) On the StartUp type change it to : Disabled On the Service Status , Click Stop Then press Apply and OK (The above may generate Access Denied messages but it is suggesting you stop the service in your post so its worth a try) Run Ccleaner to remove the contents of the Temp folders then reboot and try to install ZA again, There's also instructions here for manually removing Zone Alarm if needed http://www.castlecops.com/t99980-couldnt_v..._to_fix_it.html If you still cannot install ZA then you would be best contacting their customer support https://www.zonelabs.com/store/content/form...ech_support.jsp Andy

Happy Christmas to all , hope you all get a nice surprise of Santa for being so great I've been getting ready for ChristmasI'm revving up for the great daymy credit card's cracked and my freezer is packed'cause I started my shopping in MayThe family is coming for dinnerlast year it was quite a good laughwe ate fairly late - dished the veg on the platefound the turkey was still in the baththe Kids are all pink with excitement'cause Santa will come so they saytheir lists are extensive - extremely expensiveand they'll break it all by Boxing dayBut it's worth all that fuss Christmas morningwhen their little eyes are all aglowwhen we're all feeling merry full of goodwill and sherryand suffering from wind Ho Ho HoBut please don't forget why we do itwhy each year we must go to this fussfor that guy up above who brought peace and brought loveand who probably owns Toys R Us..........

If anyone does use the phishing filter in IE7 then the patch released by Microsoft to prevent slowdowns when browsing might be useful (XP SP2 & 2003) http://support.microsoft.com/kb/928089/

Its a false positive as RRidgely said, its just Ccleaners Uninstaller which is run if you remove it from the Add/Remove screen, if the system became unresponsive then thats not connected to the uninst.exe but you should consider contacting the AV's customer support to report the false detection If you do a google search for this you will see other vendors have had similar problems with the uninstaller but when they are notified they soon fix it http://www.google.co.uk/search?hl=en&q...virus&meta= Here's VirusTotal Results for the Uninst.exe file

Hi SpySnake, If you think there maybe a bug in SpywareBlaster it's best to post it on the Javacool forum so the developer can reply http://www.wilderssecurity.com/forumdisplay.php?f=23

Hi Fullbug SpywareBlaster is excellent, it doesnt run in the background and does all its work when you open the program and enable all protection, then you can just keep it updated and repeat the steps and close the program, it adds hundreds of malicious sites to the restricted zone in IE to prevent any of those sites infecting you if you visit them, it also blocks the popular ActiveX controls that are used by malware so again it can prevent infections if you visit a malicious site, There's an excellent tutorial on SpywareBlaster here which explains its features in more detail, http://www.bleepingcomputer.com/tutorials/tutorial49.html Andy

Ive always found it funny that CWShredder detects CWSMsconfig anytime you use the genuine MSConfig, its been that way for as long as I can remember and its still not fixed. For example run MSConfig and make a change to the startup entries then click apply and exit and it will prompt for a reboot and add this to the run key so that it loads again on reboot. O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto Use CWShredder and it finds CWSMsconfig and deletes the run value and then gives this link for more info http://cwshredder.net/cwshredder/cwschronicles.html#msconfig Apart from that I agree with RRidgely that CWS isnt active now and they have likely moved onto the more recent infections so CWShredder isnt that useful and is very unlikely to find anything on a infected system (unless you use Msconfig)

Hi Fabio This topic is quite old so wouldnt apply to the present version of IE7, Have you tried the tips on this page ? http://www.ie-vista.com/kbase2.html http://www.ie-vista.com/known_issues.html If you still cannot uninstall, could you give more details on what's happening when you try using the Add/Remove screen icon or by running the uninstall command ? Andy

Hi Jess The replacement files are really only needed if you used an older version of Ccleaner on the Hotfix uninstaller option as that would of removed the uninstaller file for IE7 Beta, if you havent used an older version then first check the Add/Remove screen for the IE7 entry (Start Menu > Control Panel > Add or Remove Programs) and uninstall it from there if its listed. If you have removed the uninstaller using Ccleaner then when you try to remove it using the Add/Remove screen it will show the file isnt found and remove it from the list, this is when you will need to replace its folder There is afew versions of beta 2 (preview. refresh and the final beta2) so it would have to be the same version you have to work correctly, I do have the uninstallers for other versions but this is the most common one that is needed. First download this file http://andymanchesta.com/IE7/$NtUnins...b2pmx$.zip and save it to your desktop right click the .zip file and choose Extract All this will create a second folder on your desktop named $NtUninstallie7b2pmx$ Right click that folder and choose Copy Next goto Start Menu > My Computer > C:\Drive > Windows When the Windows folder opens right click an Empty space and choose Paste Once that has been copied into the Windows folder goto Start Menu > Run > and copy and paste "C:\WINDOWS\$NtUninstallie7b2pmx$\spuninst\spuninst.exe" Press OK and it then should start the uninstall of IE7 Let us know if you have any problems Andy

Hi Hilamonsta Ive just replied to your HijackThis log, the file windmh32.dll is a Trojan.Agent variant and is hooked to Winlogon but can be removed without problems which we can address on your HijackThis topic if it still remains, the problem is it's not showing in your HijackThis log which probably means you have Trojan Vundo on your system as that installs a rootkit service (DP1112) to hide 02 BHO and 020 Winlogon entries from HijackThis. I will add another reply to your HijackThis thread to deal with Vundo if its present then we can see what else is hooking to Winlogon or if there is any malicious BHO's present and remove them Andy

Voted , Good luck to them

Good suggestion You can see where all the Uninstall Entries point using HijackThis if needed and also remove entries if they remain on the list after being uninstalled Download HijackThis Save it in a convenient permanent folder such as C:\HijackThis\ Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button. The Add/Remove Programs Manager panel should appear. HijackThis will show the Uninstall Command for each entry in the top right corner which will show you where the files are located and the Delete this entry button will remove it if the files no longer exist. Andy

Hi Baling you will have to try find a site that still has beta1 available to download then it's easy to upload the uninstall files, Im not aware of any site that still has that version. Andy

Hi Davinci, Welcome the the forum Glad the files helped, Ive had alot of emails asking for other versions recently so there is now files on there for beta2 preview, beta2 refresh and the final beta2 but I don't think they will be needed much longer as I believe the bug has been fixed in Ccleaner. I'll keep the files there for anyone who needs them though as it beats telling people to Reinstall Windows I don't think Ccleaner would of removed Gnucleus's Uninstaller as this bug was just because of the Hotfix uninstall option but if you are missing files, have you tried to reinstall it on top of itself as it might be able to repair it. http://www.gnucleus.com/Gnucleus/general/download.html Andy

The files are still on there for beta2, I just had a couple of problems with my site yesterday but its resolved now. Cheers

I'm abit late to the Party Happy 7th of July Everyone