Page 5 of 7

PostPosted: Mon Apr 07, 2008 10:49 am
by Killiney
My post before my previous post is missing the following:

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

PostPosted: Mon Apr 07, 2008 11:57 am
by Angoid
As Chris said, you can safely ignore all the sites on lines beginning with 127.0.0.1

They were probably put there by Spybot Search and Destroy or something similar, to protect you from them - they are malicious sites.

This does NOT mean that Killiney has visited any of them - they were merely put there pre-emptively by a legitimate program to stop them getting onto the computer.

It works by saying that the IP address of each of those sites is 127.0.0.1 - that happens to be a special address for your own computer! Thus if I tried to visit one, it would try to get it from your own computer, fail to find a Web server there, and come back with an error. Thus you're protected.

As they're legit, and we don't want links to those sites linked to from here, do you mind if we edit those posts to get rid of them? I needed to see the list just in case it did show anything up. Either you do the edit yourself or I'll do it on your behalf .... just give the word.

In your next post, can you post another log from HijackThis? If it contains all those 127.0.0.1 entries, then please feel free to edit them out before posting but please do not edit anything else in your log.

PostPosted: Mon Apr 07, 2008 12:03 pm
by Killiney
Angoid wrote:As Chris said, you can safely ignore all the sites on lines beginning with 127.0.0.1

They were probably put there by Spybot Search and Destroy or something similar, to protect you from them - they are malicious sites.

This does NOT mean that Killiney has visited any of them - they were merely put there pre-emptively by a legitimate program to stop them getting onto the computer.

It works by saying that the IP address of each of those sites is 127.0.0.1 - that happens to be a special address for your own computer! Thus if I tried to visit one, it would try to get it from your own computer, fail to find a Web server there, and come back with an error. Thus you're protected.

As they're legit, and we don't want links to those sites linked to from here, do you mind if we edit those posts to get rid of them? I needed to see the list just in case it did show anything up. Either you do the edit yourself or I'll do it on your behalf .... just give the word.

In your next post, can you post another log from HijackThis? If it contains all those 127.0.0.1 entries, then please feel free to edit them out before posting but please do not edit anything else in your log.


Thanks Angus,

I think I understand the last paragraph. I think.
So you want me to do another HCheck scan and then post the log in here?

PostPosted: Mon Apr 07, 2008 12:29 pm
by Killiney
Here's the HCheck log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:09:19, on 07/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKLM\..\RunServices: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (hej7rla5aqambc) - Unknown owner - C:\WINDOWS\system32\uvese.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12193 bytes

PostPosted: Mon Apr 07, 2008 6:33 pm
by ChrisRLG
can you edit all those host files entries out of your posts please.

Although they are save and keep you safe in your hosts file, they are very dangerious in your posts here where others may well click them.

If you have not edited them with 3 hours I will do it myself, as any visitor or member clicking on those links could get infected.

PostPosted: Mon Apr 07, 2008 7:12 pm
by Killiney
ChrisRLG wrote:can you edit all those host files entries out of your posts please.

Although they are save and keep you safe in your hosts file, they are very dangerious in your posts here where others may well click them.

If you have not edited them with 3 hours I will do it myself, as any visitor or member clicking on those links could get infected.


How do I go about editing them out of my posts?

EDIT
I have deleted all of the log to avoid confusion in what websites need to be deleted, I hope this is satisfactory.

PostPosted: Tue Apr 08, 2008 12:15 pm
by Angoid
Download Pocket Killbox (on that page, click on 'Killbox Download LinK') and unzip it; save it to your Desktop.

Close all programs down (including this browser session - so you'll need to pring this post off first if possible). Run Hcheck again and scan your system, but this time, instead of saving the logfile, check off the following entriee using the checkboxes on the left-hand side:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKLM\..\RunServices: [uvese] C:\WINDOWS\system32\uvese.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -


Click on Fix Checked and come out of HijackThis.

Run KillBox (it has a red circle with a white cross in it), and click the radio button that says Delete a file on reboot.

For each of the files in the list below, enter them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

C:\WINDOWS\system32\rvr.exe
C:\WINDOWS\system32\uvese.exe


The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Then post another HijackThis log as you did before; we'll take another look then.

Bear with us on this ..... this is very often an 'iterative process' where we keep asking for logs, analysing them, giving instructions, and so on. It can take a few 'passes' to get you clear.

PostPosted: Tue Apr 08, 2008 12:48 pm
by Killiney
Angoid wrote:Download Pocket Killbox (on that page, click on 'Killbox Download LinK') and unzip it; save it to your Desktop.

Close all programs down (including this browser session - so you'll need to pring this post off first if possible). Run Hcheck again and scan your system, but this time, instead of saving the logfile, check off the following entriee using the checkboxes on the left-hand side:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKLM\..\RunServices: [uvese] C:\WINDOWS\system32\uvese.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -


Click on Fix Checked and come out of HijackThis.

Run KillBox (it has a red circle with a white cross in it), and click the radio button that says Delete a file on reboot.

For each of the files in the list below, enter them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

C:\WINDOWS\system32\rvr.exe
C:\WINDOWS\system32\uvese.exe


The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Then post another HijackThis log as you did before; we'll take another look then.

Bear with us on this ..... this is very often an 'iterative process' where we keep asking for logs, analysing them, giving instructions, and so on. It can take a few 'passes' to get you clear.


Angus, thanks, I noticed the rvr.exe etc the other day on my antivirus software, I'll do this after I have had lunch and I can focus on what needs to be done, my minds all over the place at the moment.

Thanks.

Post scriptum
How do I unzip it?

PostPosted: Tue Apr 08, 2008 7:11 pm
by Angoid
You shouldn't have to unzip anything, but for future reference, whenever you do have a zipped file you can usually right-click it, and choose "Unzip" or "Unzip Here". Then click OK to the prompt.

The difference between Unzip and Unzip Here is that the former creates a new folder specifically for the unzipped files, whereas the other one doesn't.

If you know the zipped file (often referred to as an archive only contains one file), then using Unzip Here is usually the better one unless instructed otherwise.

PostPosted: Tue Apr 08, 2008 9:29 pm
by Killiney
Angoid wrote:You shouldn't have to unzip anything, but for future reference, whenever you do have a zipped file you can usually right-click it, and choose "Unzip" or "Unzip Here". Then click OK to the prompt.

The difference between Unzip and Unzip Here is that the former creates a new folder specifically for the unzipped files, whereas the other one doesn't.

If you know the zipped file (often referred to as an archive only contains one file), then using Unzip Here is usually the better one unless instructed otherwise.


Angus, sorry for the delay, but my wireless router has been playing up, and I've only just got it fixed, and as its late, I'll do that first thing tomorrow.

Thanks any way.

PostPosted: Tue Apr 08, 2008 9:39 pm
by Angoid
No worries, Killiney ..... I'm now going to turn in anyway :)

PostPosted: Wed Apr 09, 2008 10:02 am
by Killiney
Angoid wrote:No worries, Killiney ..... I'm now going to turn in anyway :)


Angus, my wireless routers completely mucked up for some reason. Grr. Not happy. With that aside, here I am lol. Anyway, down to business.

PS. The time's an hour out on the posts not that that's relevant

PostPosted: Wed Apr 09, 2008 10:17 am
by Killiney
Angus, in attempting to 'delete a file on reboot' using Pocket Killbox, when attemtping to delete C:\....uvese.exe, I get the message 'PendingFileRenameOperations Registry Data has been Removed by External Process!', please can you explain this?

PostPosted: Wed Apr 09, 2008 11:46 am
by Angoid
Aaarghhhh!!!! Put simply, it means one of two things:

1. Spybot Search and Destroy is actually protecting it. To overcome this, you need to turn 'TeaTimer' off. Take a look here for detailed instructions on how to do this. My apologies, I hadn't spotted before that you were running TeaTimer, and this can definitely interfere with a removal.

2. The malware is actively and aggressively resisting removal. What makes this sort harder is that the filenames it uses are random, which makes it all the harder to research.

Let's go with the TeaTimer option first. Turn it off according to those instructions I linked, and follow the former instructions again.

Leave TeaTimer turned off until we say you're clear .... then turn it back on again.

Let us know how it goes.

PostPosted: Wed Apr 09, 2008 11:52 am
by Killiney
Angoid wrote:Aaarghhhh!!!!


Is that bad then?

Sorry. Couldn't resist, but as for your view on the thingy actively resisting removal, now I'm completely baffled, but we'll come to that in time.

Thanks anyway.

EDIT

When attempting to run Spybot S&D, I get a little dialog saying 'Loading' with a percentage bar, then it freezes for some reason.