AndyManchesta
-
Posts
1,796 -
Joined
-
Last visited
Posts posted by AndyManchesta
-
-
Hi Ian
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exeDebugger REG_SZ "c:\windows\system32\fmomtuqu.old"
There's the trojan, this is abit of a pain to manually remove as it does everything possible to protect itself, you cannot delete the file or reg entry as its removed all permissions to access them, if you reset the permissions on the reg key and delete it then the trojan will put it back instantly, if you remove the trojan file then explorer.exe will not be able to start because of the above reg entry and it targets alot of different tools. I put a small script together last time I tested this to remove it and fix the permissions which I will post below, I will also post some instructions for removing the reg key manually just incase its needed, please ask any questions you may have before proceeding
Download LinkOptfix from Here and save it to your desktop
Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later
To run the fix , double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it finds the filename, creates a backups folder, moves the file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions on its reg entry, removes the reg entry then resets the permissions on its file and then restarts explorer.exe, you should then be able to run HijackThis and post a log and also run CCleaner, if you can then ignore the rest of this post and reply so we can then check for the gromozon part of the infection.
If you have problems and explorer.exe doesnt restart then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor,
Click the [+] next to HKEY_LOCAL_MACHINE
Click the [+] next to SOFTWARE
Click the [+] next to Microsoft
Click the [+] next to Windows NT
Click the [+] next to Current Version
Click the [+] next to Image File Execution Options
Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart
You should not need the manual instructions as the fixtool should remove it fine but its best to be safe and provide an alternative just incase its needed,
Let me know if you have any problems or questions
Cheers
Andy
-
Hi Ian
Please can you start with this
Goto Start Menu > Run > and copy and paste
cmd /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt
Press OK and it will export some information from your registry and save it to a text file named Result.txt which will save to C:\ and also open in Notepad, please post the contents of that file back on here
I suspect you have a variant of the gromozon rootkit and a linkoptimizer trojan, we can deal with the gromozon part abit later if its present but its the linkoptimizer trojan that is likely causing the problems, it hooks to explorer using a reg entry and changes permissions on the reg value and file so even Admin users cannot remove it, if you type CCleaner in Start > Run or Browsers then explorer will crash, same for other tools like HijackThis, even moving the mouse over the icon will crash explorer without you clicking it so this trojan matches what you are describing, If anything removes the trojan file then you will not be able to restart explorer.exe (no desktop icons or start menu) but I will explain that in more detail after seeing the results from the above command,
Cheers
Andy
-
I'll post the HJT log shortly
I actually did feel like I had a trojan earlier, my mouse started left clicking things by itself every so often and dragging things Id moused over, it was well annoying as it was highlighting text on websites if I moved up or down and clicking links without my having to left click, I went to a PC shop to get a new one and mentioned it while I was there and the guy said 'Oh Yeah you've got a sticky button' (guess thats a new 'technical' term), I sort of figured that much out myself but my new mouse is being better behaved
-
http://www.google.com/tisp/notfound.html
The requested URL was not found on this server. There are so many reasons that this might have happened we can scarcely bring ourselves to type them all out. You might have typed the URL incorrectly, for instance. Or (less likely but certainly plausible) we might have coded the URL incorrectly. Or (far less plausible, but theoretically possible, depending on which ill-defined Grand Unifying Theory of physics one subscribes to), some random fluctuation in the space-time continuum might have produced a shatteringly brief but nonetheless real electromagnetic discombobulation which caused this error page to appear. Or (and truth be told, this is by far the most likely scenario) you might have reached a page that we meant to create but didn't get around to it, since this year's April Fool's joke got hacked together at the last minute, more or less the same way this one did. And this one. And this one, and this one, and this one....gif)
-
Hi Steve,
Excuse the delay, Ive just got back from work so have abit of catching up to do
Your best leaving the file is system32 for now until we can get some scanners run on your system to see what the infection is, you can get a list of the Image File Execution Options key if needed by going to start > run > then copy and paste
cmd /c reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt
Press OK and it will export the key details to a text file named Result.txt then open it with notepad (it also saves to C:\Drive), the only entry that should show a debugger value is this example entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a pathDebugger REG_SZ ntsd -d
GlobalFlag REG_SZ 0x000010F0
I need to go back out for a while but I'll check on the HijackThis subforum for any updates when I get back and we can continue on there
Cheers
Andy
-
Hi scotiabahn
Hazelnut asked me to check on this thread but Im not sure at the moment if the malware has caused damage to the registry which is causing multiple problems or if it will be possible to clean it up.
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""
Now that's not nice
its lucky in a sense that its not added a debugger value for an an essential file such as winlogon.exe as you then wouldnt of been able to login when you moved the wbjrwesa.txt file, This reg key sets up another program to run as a debugger when the initial file (explorer.exe) is run but Windows doesn't verify that its a legit debugger, it just starts the file in the debugger value and if the file is deleted then the file which has the debugger value will not run either, in this case where the debugger value is a txt file I would of expected it to show error's even if the file exists like explorer isnt a valid win32 application because its trying to load the txt file and if the txt file is removed then explorer.exe will not run and give a message similiar to Windows cannot find explorer.exe so there maybe other parts to this infection which are not showing up to now, the explorer.exe subkey isnt in the Image File Execution Options key by default so its fine to remove it but it does show that the machine has been infected, To remove the value goto Start > Run and copy and paste this
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /f
Press OK and it will remove the key, you will not notice anything but the key will be removed, you can then attempt to move the txt file again and see if explorer loads on reboot, if it doesnt then there is something else protecting the reg entries or recreating it when its removed, it maybe easier to download process explorer from here to save having to keep rebooting
http://download.sysinternals.com/Files/ProcessExplorer.zip
Run the program and then run the above regfix, move the wbjrwesa.txt to your desktop then right click explorer.exe in process explorer and choose restart, if it starts ok then the debugger value wasnt recreated but if you get error's and explorer fails to restart then the debugger value is still present so you will have to either run the reg fix again by using task manager > new task or put the file back into system32 while we check for other trojans that maybe protecting it,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://morwillsearch.com/?adv_id=amandaxxx&sub_id=
Im sure you didnt set morwillsearch as your default search page as they have been associated with many trojans over the years mostly CWS and clicker variants but that could of been on your system for a long time so it maybe unrelated, its also in your IE trusted zone so that needs fixing,
O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab
This appears to be a pr0n dialer of some form which was probably installed without your consent but the domain xearl.com is linked to gromozon infections which are very difficult to clean due to rootkits being installed, that infection only seems to target Italian IP addresses but with it being present on your system you will have to run a couple of rootkit scans to make sure its clear, you can get more info on gromozon here
http://www.prevx.com/gromozon.asp
O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)
Another trojan entry, the file looks like its already been removed at some stage but its left the registry entry behind, I think its a variant of VIPSearcher but it maybe a Delf trojan
http://research.sunbelt-software.com/threa...;threatid=40085
Please post the logs from these below steps into a new topic on the HijackThis forum Here as this looks more like malware damage rather than CCleaner failing, If you cannot extract HijackThis then download the Trend Micro .exe version from here
http://www.trendsecure.com/portal/en-US/th...JackThis_v2.exe
Run Hijack This and choose Do A System Scan then place a check next to these entries
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h*tp://morwillsearch.com/?adv_id=amandaxxx&sub_id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - ht*p://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Optional Fix
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
This is a lock on your homepage to prevent it being changed, the buttons in Internet Options to change it will be grayed out on the homepage part, if you or a protection program added the homepage lock then it can be ignored but if not then it can be fixed with HijackThis
Download the Gromozon remover from Here and run it just to make sure there isnt a infection present,
Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt into your new HijackThis topic
Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Finally if your able to please do an online scan with Kaspersky WebScanner.
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
-
Scan using the following Anti-Virus database:
-
Extended (if available otherwise Standard)
-
Scan Options:
-
Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:
- Select My Computer
[*]This program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.
-
Scan using the following Anti-Virus database:
Please then start a new topic in the HijackThis forum, post the windelf.txt, blacklight log if it finds hidden files and the Kaspersky log,
Let us know if you have problems
Regards
Andy
- The program will launch and then begin downloading the latest definition files:
-
Trend Micro has an excellent write on this Trojan here:
http://www.trendmicro.com/vinfo/secadvisor...+Focused+Attack
-
Glad you got things resolved,
Regarding the CA AV problem, there's a FAQ page here with common problems listed
http://home3.ca.com/Support/techsupport/iss.aspx#
if you cannot find the issue then consider contacting CA if the problem continues, depending on where your located you should be able to get help using their web support feature so that maybe easier
US
http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-US
AU
http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-AU
UK
http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-GB
Euro
http://home3.ca.com/support/techsupport/ad...x?sc_lang=en-IE
All the best
Andy
-
Hi yr3750
Check the Add/Remove screen first (Start Menu > Control Panel > Add or Remove Programs) and remove the ZoneAlarm and CA products if possible, also check your systems date and time to make sure they are correct (Start Menu > Control Panel > Date and Time)
If the date is correct and you cannot remove ZA then goto Start > Run > type
services.msc
Press OK then locate this in the service list
TrueVector Internet Monitor
if found double click it to open the properties screen (or right click and choose Properties)
On the StartUp type change it to : Disabled
On the Service Status , Click Stop
Then press Apply and OK
(The above may generate Access Denied messages but it is suggesting you stop the service in your post so its worth a try)
Run Ccleaner to remove the contents of the Temp folders then reboot and try to install ZA again,
There's also instructions here for manually removing Zone Alarm if needed
http://www.castlecops.com/t99980-couldnt_v..._to_fix_it.html
If you still cannot install ZA then you would be best contacting their customer support
https://www.zonelabs.com/store/content/form...ech_support.jsp
Andy
-
Happy Christmas to all , hope you all get a nice surprise of Santa for being so great
I've been getting ready for ChristmasI'm revving up for the great daymy credit card's cracked and my freezer is packed'cause I started my shopping in MayThe family is coming for dinnerlast year it was quite a good laughwe ate fairly late - dished the veg on the platefound the turkey was still in the baththe Kids are all pink with excitement'cause Santa will come so they saytheir lists are extensive - extremely expensiveand they'll break it all by Boxing dayBut it's worth all that fuss Christmas morningwhen their little eyes are all aglowwhen we're all feeling merry full of goodwill and sherryand suffering from wind Ho Ho HoBut please don't forget why we do itwhy each year we must go to this fussfor that guy up above who brought peace and brought loveand who probably owns Toys R Us..........
-
If anyone does use the phishing filter in IE7 then the patch released by Microsoft to prevent slowdowns when browsing might be useful (XP SP2 & 2003)
-
Its a false positive as RRidgely said, its just Ccleaners Uninstaller which is run if you remove it from the Add/Remove screen, if the system became unresponsive then thats not connected to the uninst.exe but you should consider contacting the AV's customer support to report the false detection
If you do a google search for this you will see other vendors have had similar problems with the uninstaller but when they are notified they soon fix it
http://www.google.co.uk/search?hl=en&q...virus&meta=
Here's VirusTotal Results for the Uninst.exe file
STATUS: FINISHEDComplete scanning result of "uninst.exe", received in VirusTotal at 12.23.2006, 07:00:01 (CET).Antivirus Version Update Result
AntiVir 7.3.0.21 12.22.2006 no virus found
Authentium 4.93.8 12.22.2006 no virus found
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.22.2006 no virus found
BitDefender 7.2 12.23.2006 no virus found
CAT-QuickHeal 8.00 12.22.2006 no virus found
ClamAV devel-20060426 12.23.2006 no virus found
DrWeb 4.33 12.22.2006 no virus found
eSafe 7.0.14.0 12.21.2006 no virus found
eTrust-InoculateIT 23.73.97 12.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4.0 12.22.2006 no virus found
Fortinet 2.82.0.0 12.23.2006 suspicious
F-Prot 3.16f 12.22.2006 no virus found
F-Prot4 4.2.1.29 12.22.2006 no virus found
Ikarus T3.1.0.27 12.23.2006 no virus found
Kaspersky 4.0.2.24 12.23.2006 no virus found
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.23.2006 no virus found
NOD32v2 1935 12.22.2006 no virus found
Norman 5.80.02 12.22.2006 no virus found
Panda 9.0.0.4 12.22.2006 no virus found
Prevx1 V2 12.23.2006 no virus found
Sophos 4.12.0 12.22.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.135 12.20.2006 no virus found
UNA 1.83 12.22.2006 no virus found
VBA32 3.11.1 12.22.2006 no virus found
VirusBuster 4.3.19:9 12.22.2006 no virus found
Aditional Information
File size: 103230 bytes
MD5: 33829fbbb9cdc957cfc23c748d51c40b
SHA1: 2847f306dc5b33dbde3ca7c4826dbbe46a601b2d
packers: BINARYRES
-
Hi SpySnake,
If you think there maybe a bug in SpywareBlaster it's best to post it on the Javacool forum so the developer can reply
-
Hi Fullbug
SpywareBlaster is excellent, it doesnt run in the background and does all its work when you open the program and enable all protection, then you can just keep it updated and repeat the steps and close the program, it adds hundreds of malicious sites to the restricted zone in IE to prevent any of those sites infecting you if you visit them, it also blocks the popular ActiveX controls that are used by malware so again it can prevent infections if you visit a malicious site,
There's an excellent tutorial on SpywareBlaster here which explains its features in more detail,
http://www.bleepingcomputer.com/tutorials/tutorial49.html
Andy
-
Ive always found it funny that CWShredder detects CWSMsconfig anytime you use the genuine MSConfig, its been that way for as long as I can remember and its still not fixed. For example run MSConfig and make a change to the startup entries then click apply and exit and it will prompt for a reboot and add this to the run key so that it loads again on reboot.
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
Use CWShredder and it finds CWSMsconfig and deletes the run value and then gives this link for more info
http://cwshredder.net/cwshredder/cwschronicles.html#msconfig
Apart from that I agree with RRidgely that CWS isnt active now and they have likely moved onto the more recent infections so CWShredder isnt that useful and is very unlikely to find anything on a infected system (unless you use Msconfig)
-
Hi Fabio
This topic is quite old so wouldnt apply to the present version of IE7, Have you tried the tips on this page ?
http://www.ie-vista.com/kbase2.html
http://www.ie-vista.com/known_issues.html
If you still cannot uninstall, could you give more details on what's happening when you try using the Add/Remove screen icon or by running the uninstall command ?
Andy
-
Hi Jess
The replacement files are really only needed if you used an older version of Ccleaner on the Hotfix uninstaller option as that would of removed the uninstaller file for IE7 Beta, if you havent used an older version then first check the Add/Remove screen for the IE7 entry (Start Menu > Control Panel > Add or Remove Programs) and uninstall it from there if its listed.
If you have removed the uninstaller using Ccleaner then when you try to remove it using the Add/Remove screen it will show the file isnt found and remove it from the list, this is when you will need to replace its folder
There is afew versions of beta 2 (preview. refresh and the final beta2) so it would have to be the same version you have to work correctly, I do have the uninstallers for other versions but this is the most common one that is needed.
First download this file
http://andymanchesta.com/IE7/$NtUnins...b2pmx$.zip and save it to your desktop
right click the .zip file and choose Extract All
this will create a second folder on your desktop named $NtUninstallie7b2pmx$
Right click that folder and choose Copy
Next goto Start Menu > My Computer > C:\Drive > Windows
When the Windows folder opens right click an Empty space and choose Paste
Once that has been copied into the Windows folder goto Start Menu > Run > and copy and paste
"C:\WINDOWS\$NtUninstallie7b2pmx$\spuninst\spuninst.exe"
Press OK and it then should start the uninstall of IE7
Let us know if you have any problems
Andy
-
Hi Hilamonsta
Ive just replied to your HijackThis log, the file windmh32.dll is a Trojan.Agent variant and is hooked to Winlogon but can be removed without problems which we can address on your HijackThis topic if it still remains, the problem is it's not showing in your HijackThis log which probably means you have Trojan Vundo on your system as that installs a rootkit service (DP1112) to hide 02 BHO and 020 Winlogon entries from HijackThis.
I will add another reply to your HijackThis thread to deal with Vundo if its present then we can see what else is hooking to Winlogon or if there is any malicious BHO's present and remove them
Andy
-
Voted , Good luck to them
-
Good suggestion
You can see where all the Uninstall Entries point using HijackThis if needed and also remove entries if they remain on the list after being uninstalled
Download HijackThis
Save it in a convenient permanent folder such as C:\HijackThis\
Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button. The Add/Remove Programs Manager panel should appear.
HijackThis will show the Uninstall Command for each entry in the top right corner which will show you where the files are located and the Delete this entry button will remove it if the files no longer exist.
Andy
-
Hi Baling
you will have to try find a site that still has beta1 available to download then it's easy to upload the uninstall files, Im not aware of any site that still has that version.
Andy
-
Hi Davinci, Welcome the the forum
Glad the files helped, Ive had alot of emails asking for other versions recently so there is now files on there for beta2 preview, beta2 refresh and the final beta2 but I don't think they will be needed much longer as I believe the bug has been fixed in Ccleaner. I'll keep the files there for anyone who needs them though as it beats telling people to Reinstall Windows
I don't think Ccleaner would of removed Gnucleus's Uninstaller as this bug was just because of the Hotfix uninstall option but if you are missing files, have you tried to reinstall it on top of itself as it might be able to repair it.
http://www.gnucleus.com/Gnucleus/general/download.html
Andy
-
The files are still on there for beta2, I just had a couple of problems with my site yesterday but its resolved now.
Cheers
-
I'm abit late to the Party
Happy 7th of July Everyone
its lucky in a sense that its not added a debugger value for an an essential file such as winlogon.exe as you then wouldnt of been able to login when you moved the wbjrwesa.txt file, This reg key sets up another program to run as a debugger when the initial file (explorer.exe) is run but Windows doesn't verify that its a legit debugger, it just starts the file in the debugger value and if the file is deleted then the file which has the debugger value will not run either, in this case where the debugger value is a txt file I would of expected it to show error's even if the file exists like explorer isnt a valid win32 application because its trying to load the txt file and if the txt file is removed then explorer.exe will not run and give a message similiar to Windows cannot find explorer.exe so there maybe other parts to this infection which are not showing up to now, the explorer.exe subkey isnt in the Image File Execution Options key by default so its fine to remove it but it does show that the machine has been infected, 
Help! I can't type or open C*leaner
in Software
Posted
Nice work Ian
There's another trojan showing in the log but I guess its all part of the same infection, this one is hooking to userinit.exe to make sure its always running but with it not being in the running processes it may of already been removed from your system, regarding where its coming from I really do not know, it maybe dropped by an exploit script written into a malicious webpage but If you have all the updates from Windows installed and you dont have any older versions of Java still on the system then I doubt that would be the cause. Nice to see it went without a fight though, you can delete the LinkOptFix folder now as it contains a copy of the trojan file.
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
If you cannot download it for any reason let me know and I'll upload it into the thread, run the tool and follow the prompts, when its finished it will create a logfile in C:\ named Gromozon_removal.log, please post the contents of that file back on here. Click No if it prompts you to install Prevx as its only a trial version which isnt needed here.
It maybe easier to copy and paste this to notepad and saving it as all browser windows need closing when fixing the entries
Run Hijack This and choose Do A System Scan then place a check next to these entries
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\seagate-helper.exe",
O2 - BHO: (no name) - {00000000-6C30-11D8-9363-000AE6309654} - (no file)
O2 - BHO: (no name) - {21B5274C-4950-A739-CFDE-34197B9D4B81} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} -
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} -
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} -
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} -
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Can you set Windows to show hidden files and folders
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Click Yes to confirm then OK
Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Check if this file still exists
c:\windows\seagate-helper.exe
If it does please have it scanned at VirusTotal as its clearly a trojan with it hooking to userinit.exe
Visit VirusTotal and have this file scanned:
c:\windows\seagate-helper.exe
Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if the file doesnt exist after setting Windows to show hidden and system files
Finally download AVG Anti-Spyware
Please then post back the Gromozon remover log, VirusTotal results if the file exists, AVG log and a new HijackThis log
Thanks
Andy