Jump to content
CCleaner Community Forums


Experienced Members
  • Content Count

  • Joined

  • Last visited

Everything posted by AndyManchesta

  1. Nice work Ian There's another trojan showing in the log but I guess its all part of the same infection, this one is hooking to userinit.exe to make sure its always running but with it not being in the running processes it may of already been removed from your system, regarding where its coming from I really do not know, it maybe dropped by an exploit script written into a malicious webpage but If you have all the updates from Windows installed and you dont have any older versions of Java still on the system then I doubt that would be the cause. Nice to see it went without a fight though,
  2. Hi Ian There's the trojan, this is abit of a pain to manually remove as it does everything possible to protect itself, you cannot delete the file or reg entry as its removed all permissions to access them, if you reset the permissions on the reg key and delete it then the trojan will put it back instantly, if you remove the trojan file then explorer.exe will not be able to start because of the above reg entry and it targets alot of different tools. I put a small script together last time I tested this to remove it and fix the permissions which I will post below, I will also post some
  3. Hi Ian Please can you start with this Goto Start Menu > Run > and copy and paste cmd /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt Press OK and it will export some information from your registry and save it to a text file named Result.txt which will save to C:\ and also open in Notepad, please post the contents of that file back on here I suspect you have a variant of the gromozon rootkit and a linkoptimizer trojan, we can deal with the grom
  4. I'll post the HJT log shortly I actually did feel like I had a trojan earlier, my mouse started left clicking things by itself every so often and dragging things Id moused over, it was well annoying as it was highlighting text on websites if I moved up or down and clicking links without my having to left click, I went to a PC shop to get a new one and mentioned it while I was there and the guy said 'Oh Yeah you've got a sticky button' (guess thats a new 'technical' term), I sort of figured that much out myself but my new mouse is being better behaved
  5. http://www.google.com/tisp/notfound.html
  6. Hi Steve, Excuse the delay, Ive just got back from work so have abit of catching up to do Your best leaving the file is system32 for now until we can get some scanners run on your system to see what the infection is, you can get a list of the Image File Execution Options key if needed by going to start > run > then copy and paste cmd /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt Press OK and it will export the key details to a tex
  7. Hi scotiabahn Hazelnut asked me to check on this thread but Im not sure at the moment if the malware has caused damage to the registry which is causing multiple problems or if it will be possible to clean it up. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe] "Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\"" Now that's not nice its lucky in a sense that its not added a debugger value for an an essential file such as winlogon.exe as you then wouldnt of been able to login when you moved the wbjrwesa.txt file, This re
  8. Trend Micro has an excellent write on this Trojan here: http://www.trendmicro.com/vinfo/secadvisor...+Focused+Attack
  9. Glad you got things resolved, Regarding the CA AV problem, there's a FAQ page here with common problems listed http://home3.ca.com/Support/techsupport/iss.aspx# if you cannot find the issue then consider contacting CA if the problem continues, depending on where your located you should be able to get help using their web support feature so that maybe easier US http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-US AU http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-AU UK http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-GB Euro
  10. Hi yr3750 Check the Add/Remove screen first (Start Menu > Control Panel > Add or Remove Programs) and remove the ZoneAlarm and CA products if possible, also check your systems date and time to make sure they are correct (Start Menu > Control Panel > Date and Time) If the date is correct and you cannot remove ZA then goto Start > Run > type services.msc Press OK then locate this in the service list TrueVector Internet Monitor if found double click it to open the properties screen (or right click and choose Properties) On the StartUp type change it
  11. Happy Christmas to all , hope you all get a nice surprise of Santa for being so great I've been getting ready for ChristmasI'm revving up for the great daymy credit card's cracked and my freezer is packed'cause I started my shopping in MayThe family is coming for dinnerlast year it was quite a good laughwe ate fairly late - dished the veg on the platefound the turkey was still in the baththe Kids are all pink with excitement'cause Santa will come so they saytheir lists are extensive - extremely expensiveand they'll break it all by Boxing dayBut it's worth all that fuss Christmas morni
  12. If anyone does use the phishing filter in IE7 then the patch released by Microsoft to prevent slowdowns when browsing might be useful (XP SP2 & 2003) http://support.microsoft.com/kb/928089/
  13. Its a false positive as RRidgely said, its just Ccleaners Uninstaller which is run if you remove it from the Add/Remove screen, if the system became unresponsive then thats not connected to the uninst.exe but you should consider contacting the AV's customer support to report the false detection If you do a google search for this you will see other vendors have had similar problems with the uninstaller but when they are notified they soon fix it http://www.google.co.uk/search?hl=en&q...virus&meta= Here's VirusTotal Results for the Uninst.exe file
  14. Hi SpySnake, If you think there maybe a bug in SpywareBlaster it's best to post it on the Javacool forum so the developer can reply http://www.wilderssecurity.com/forumdisplay.php?f=23
  15. Hi Fullbug SpywareBlaster is excellent, it doesnt run in the background and does all its work when you open the program and enable all protection, then you can just keep it updated and repeat the steps and close the program, it adds hundreds of malicious sites to the restricted zone in IE to prevent any of those sites infecting you if you visit them, it also blocks the popular ActiveX controls that are used by malware so again it can prevent infections if you visit a malicious site, There's an excellent tutorial on SpywareBlaster here which explains its features in more detail, h
  16. Ive always found it funny that CWShredder detects CWSMsconfig anytime you use the genuine MSConfig, its been that way for as long as I can remember and its still not fixed. For example run MSConfig and make a change to the startup entries then click apply and exit and it will prompt for a reboot and add this to the run key so that it loads again on reboot. O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto Use CWShredder and it finds CWSMsconfig and deletes the run value and then gives this link for more info http://cwshredder.net/cwshredder/cwsc
  17. Hi Fabio This topic is quite old so wouldnt apply to the present version of IE7, Have you tried the tips on this page ? http://www.ie-vista.com/kbase2.html http://www.ie-vista.com/known_issues.html If you still cannot uninstall, could you give more details on what's happening when you try using the Add/Remove screen icon or by running the uninstall command ? Andy
  18. Hi Jess The replacement files are really only needed if you used an older version of Ccleaner on the Hotfix uninstaller option as that would of removed the uninstaller file for IE7 Beta, if you havent used an older version then first check the Add/Remove screen for the IE7 entry (Start Menu > Control Panel > Add or Remove Programs) and uninstall it from there if its listed. If you have removed the uninstaller using Ccleaner then when you try to remove it using the Add/Remove screen it will show the file isnt found and remove it from the list, this is when you will need to replac
  19. Hi Hilamonsta Ive just replied to your HijackThis log, the file windmh32.dll is a Trojan.Agent variant and is hooked to Winlogon but can be removed without problems which we can address on your HijackThis topic if it still remains, the problem is it's not showing in your HijackThis log which probably means you have Trojan Vundo on your system as that installs a rootkit service (DP1112) to hide 02 BHO and 020 Winlogon entries from HijackThis. I will add another reply to your HijackThis thread to deal with Vundo if its present then we can see what else is hooking to Winlogon or if there
  20. Good suggestion You can see where all the Uninstall Entries point using HijackThis if needed and also remove entries if they remain on the list after being uninstalled Download HijackThis Save it in a convenient permanent folder such as C:\HijackThis\ Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button. The Add/Remove Programs Manager panel should appear. HijackThis will show the Uninstall Command for each entry in the top right corner which will show you where the files are located and the Delete this entry button will remov
  21. Hi Baling you will have to try find a site that still has beta1 available to download then it's easy to upload the uninstall files, Im not aware of any site that still has that version. Andy
  22. Hi Davinci, Welcome the the forum Glad the files helped, Ive had alot of emails asking for other versions recently so there is now files on there for beta2 preview, beta2 refresh and the final beta2 but I don't think they will be needed much longer as I believe the bug has been fixed in Ccleaner. I'll keep the files there for anyone who needs them though as it beats telling people to Reinstall Windows I don't think Ccleaner would of removed Gnucleus's Uninstaller as this bug was just because of the Hotfix uninstall option but if you are missing files, have you tried to reinstall it o
  23. The files are still on there for beta2, I just had a couple of problems with my site yesterday but its resolved now. Cheers
  24. I'm abit late to the Party Happy 7th of July Everyone
  • Create New...