exploiy-beehappyy.biz

[clannie]

Hello I have just joined,I have exploit-beehappyy.biz on my computer found by Bazooka after doing a scan, another type of scanner showed trojan win32.dialer.Ewido and spysweeper haven't found anything bar the odd cookie.I use aol broadband but recently a dialer box comes up asking me to connect to internet using dial up.All very strange,can anyone shed any light on this please as I do not know how to tackle it.Thankyou.

[jwbirdsong]

Please download HijackThis version 1.99.1 from HEREand make sure to unzip and to it's own, permanent folder. To run HijackThis click Scan and then Save log, Post the new log in a reply to this thread. I would be happy to take a look at it.

[clannie]

Thank you for reply Here is the log

Logfile of HijackThis v1.99.1

Scan saved at 15:42:10, on 11/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Filseclab\xfilter\xfilter.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Voyager100Test\fts.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\AOL 9.0a\aoltray.exe

C:\Program Files\Common Files\AOL\1132916045\ee\AOLHostManager.exe

C:\Program Files\Common Files\Filseclab\FilMsg.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Common Files\AOL\1132916045\ee\AOLServiceHost.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

c:\program files\common files\aol\1132916045\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1132916045\ee\AOLServiceHost.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\SYSTEM32\cidaemon.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.co.uk

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Voyager100Test\fts.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132916045\ee\AOLHostManager.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe

O4 - Global Startup: Filseclab Messenger.lnk = ?

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll

O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll

O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll

O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll

O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll

O15 - Trusted Zone: http://www.airmiles.co.uk

O15 - Trusted Zone: http://www.dance-again.com

O15 - Trusted Zone: http://www.highlandradio.com

O15 - Trusted Zone: www.jacquielawson.com

O15 - Trusted Zone: www.kephyr.com

O15 - Trusted Zone: http://www.lloydstsb.com

O15 - Trusted Zone: http://www.majorgeeks.com

O15 - Trusted Zone: http://www.mcgahanlees.com

O15 - Trusted Zone: http://forums.techguy.org

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123330021234

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I also have the Bazooka log which I will send if you wish it.Thanks again much appreciated.

[jwbirdsong]

Where exactly is the infection being found?? _restore perhaps?? You have a couple of "non standard" entries but no Malware/Trojan.

Please run this online virus scan: ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  - Enter your Country
  - Enter your State/Province
  - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
  - Select either Home User or Company
  
• Click the big Scan Now button
  
• If/when you get a notice that Panda wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on Local Disks to start the scan
  
• When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
  

Also please run a FULL Ewido scan and post that log here along with the result of the Panda scan.

[clannie]

Sorry was away all day yesrerday but I managed to download Trojan Hunter and it found infection in some AOl files and in BT modem drivers I will try and send it to you.

{\rtf1\ansi\ansicpg1252\deff0\deflang2057\deflangfe1053{\fonttbl{\f0\fnil\fcharset0 Arial;}{\f1\fswiss\fprq2\fcharset0 Trebuchet MS;}}

{\colortbl ;\red255\green0\blue0;}

\viewkind4\uc1\pard\b\fs20 Registry scan

\par \pard\li200\b0 No suspicious entries found

\par \pard\b Inifile scan

\par \pard\li200\b0 No suspicious entries found

\par \pard\b Port scan

\par \pard\li200\b0 No suspicious open ports found

\par \pard\b Memory scan

\par \pard\li200\b0 No trojans found in memory

\par \pard\b File scan

\par \pard\li200\cf1\b0 Found trojan file: C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_AOL 9.0\\ukpppoecswitch11\\Voyager\\Wan_Driver\\USB\\WAN Driver\\DSLDRV\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_AOL 9.0\\ukpppoecswitch11\\Voyager100\\drivers\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_AOL 9.0\\ukpppoecswitch11\\Voyager100\\drivers98\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\Mr Wright\\Desktop\\Unused Desktop Shortcuts\\BT Voyager 100 AND KERRY'S CAMERA.zip/UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\Mr Wright\\Desktop\\Unused Desktop Shortcuts\\BT Voyager 100 AND KERRY'S CAMERA.zip/8RW9O.UserDiag.exe (Dialer)

\par \cf0 Error: Directory not found: C:\\Documents and Settings\\Mr Wright\\My Documents\\2005-08-13, killarney map\\0\\all ireland

\par \cf1 Found trojan file: C:\\Documents and Settings\\Mr Wright\\My Documents\\BT Voyager 100\\BT Voyager 100\\drivers\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\Mr Wright\\My Documents\\BT Voyager 100\\BT Voyager 100\\drivers98\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Program Files\\AOL\\Broadband CheckUp\\vendors\\aoluk\\content\\template\\driven_dev\\BroadBandAsst\\Voyager100\\drivers\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Program Files\\AOL\\Broadband CheckUp\\vendors\\aoluk\\content\\template\\driven_dev\\BroadBandAsst\\Voyager100\\drivers98\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Program Files\\Mil Incorporated\\Mil Shield\\ShieldAgent.exe (TrojanClicker.Adfd.100)

\par 10 trojan files found

\par \cf0\f1

\par }

Do you still wish the Panda scan and Ewido has found nothing.

[clannie]

Sorry was away all day yesrerday but I managed to download Trojan Hunter and it found infection in some AOl files and in BT modem drivers I will try and send it to you.

{\rtf1\ansi\ansicpg1252\deff0\deflang2057\deflangfe1053{\fonttbl{\f0\fnil\fcharset0 Arial;}{\f1\fswiss\fprq2\fcharset0 Trebuchet MS;}}

{\colortbl ;\red255\green0\blue0;}

\viewkind4\uc1\pard\b\fs20 Registry scan

\par \pard\li200\b0 No suspicious entries found

\par \pard\b Inifile scan

\par \pard\li200\b0 No suspicious entries found

\par \pard\b Port scan

\par \pard\li200\b0 No suspicious open ports found

\par \pard\b Memory scan

\par \pard\li200\b0 No trojans found in memory

\par \pard\b File scan

\par \pard\li200\cf1\b0 Found trojan file: C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_AOL 9.0\\ukpppoecswitch11\\Voyager\\Wan_Driver\\USB\\WAN Driver\\DSLDRV\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_AOL 9.0\\ukpppoecswitch11\\Voyager100\\drivers\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_AOL 9.0\\ukpppoecswitch11\\Voyager100\\drivers98\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\Mr Wright\\Desktop\\Unused Desktop Shortcuts\\BT Voyager 100 AND KERRY'S CAMERA.zip/UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\Mr Wright\\Desktop\\Unused Desktop Shortcuts\\BT Voyager 100 AND KERRY'S CAMERA.zip/8RW9O.UserDiag.exe (Dialer)

\par \cf0 Error: Directory not found: C:\\Documents and Settings\\Mr Wright\\My Documents\\2005-08-13, killarney map\\0\\all ireland

\par \cf1 Found trojan file: C:\\Documents and Settings\\Mr Wright\\My Documents\\BT Voyager 100\\BT Voyager 100\\drivers\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Documents and Settings\\Mr Wright\\My Documents\\BT Voyager 100\\BT Voyager 100\\drivers98\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Program Files\\AOL\\Broadband CheckUp\\vendors\\aoluk\\content\\template\\driven_dev\\BroadBandAsst\\Voyager100\\drivers\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Program Files\\AOL\\Broadband CheckUp\\vendors\\aoluk\\content\\template\\driven_dev\\BroadBandAsst\\Voyager100\\drivers98\\WAN Driver\\dsldrv\\UserDiag.exe (Dialer)

\par Found trojan file: C:\\Program Files\\Mil Incorporated\\Mil Shield\\ShieldAgent.exe (TrojanClicker.Adfd.100)

\par 10 trojan files found

\par \cf0\f1

\par }

Do you still wish the Panda scan and Ewido has found nothing.

sorry about double posting

log from panda scan

Incident Status Location

Adware:adware/secure32 Not desinfected C:\WINDOWS\system32\drivers\etc\hosts

[jwbirdsong]

Well the trojan hunter is all pointing to the same file UserDiag.exe and it i's a false positive...same with ShieldAgent.exe.

Open your hosts file in Notepad....path is the one Panda gave...does it have a bunch of entries that don't seem to belong there preceeded by 120.0.0.xx ?? If you are unsure of the hosts you can post it here.

A BASIC hosts file has one line (excluding comments). 127.0.0.1 localhost.

If you haven't changed yours and there are many entires we will clean it up.

Where exactly is the infection being found?? _restore perhaps?? You have a couple of "non standard" entries but no Malware/Trojan.

Still need answer to the above also.

[clannie]

Well the trojan hunter is all pointing to the same file UserDiag.exe and it i's a false positive...same with ShieldAgent.exe.

Open your hosts file in Notepad....path is the one Panda gave...does it have a bunch of entries that don't seem to belong there preceeded by 120.0.0.xx ?? If you are unsure of the hosts you can post it here.

A BASIC hosts file has one line (excluding comments). 127.0.0.1 localhost.

If you haven't changed yours and there are many entires we will clean it up.

Still need answer to the above also.

[

[clannie]

Can I post you the Bazooka log and see if you can work out where it is saying the virus is please.I would also like you to have a look at the host file for me, but unsure of how to attach it.

[jwbirdsong]

you can just copy and poste it with notepad into your reply..yes post the bazooka also

[clannie]

****************************************

Bazooka Scanner v1.13.03

http://www.kephyr.com/spywarescanner/

http://www.kephyr.com/spywarescanner/library/

support@kephyr.com

Log created 20:46:43.

OS: Windows NT 5.1

Database version: 3.120000

Database format version: 1.020000

Database date: 20051209

Current date: 2005-12-15 20:46

****************************************

Result when scanning:

Exploit Beehappyy.biz 544.734.001 %WinDir%\tempf.txt

C:\WINDOWS\tempf.txt

http://www.kephyr.com/spywarescanner/libra...biz/index.phtml

****************************************

Auto start entries:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe -boot

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

C:\Program Files\Common Files\Filseclab\FilMsg.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk

C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe -boot

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

C:\Program Files\Common Files\Filseclab\FilMsg.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Documents and Settings\Mr Wright\Start Menu\Programs\Startup\desktop.ini

C:\Program Files\SpywareGuard\sgmain.exe

C:\Documents and Settings\Mr Wright\Start Menu\Programs\Startup\desktop.ini

C:\Program Files\SpywareGuard\sgmain.exe

Go here to analyse the startup entries and the associated files:

http://www.kephyr.com/filedb/index.php

****************************************

Run entries:

AOLDialer C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AOLDialer

XFILTER "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\XFILTER

HPDJ Taskbar Utility C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HPDJ Taskbar Utility

gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ

%FP%Friendly fts.exe "C:\Program Files\Voyager100Test\fts.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\%FP%Friendly fts.exe

HostManager C:\Program Files\Common Files\AOL\1132916045\ee\AOLHostManager.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HostManager

SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SpySweeper

THGuard "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\THGuard

Go here to analyse the run entries and the associated files:

http://www.kephyr.com/filedb/index.php

****************************************

Browser helper objects:

{4A368E80-174F-4872-96B5-0B27DDD11DB2} SpywareGuard Download Protection C:\Program Files\SpywareGuard\dlprotect.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}

{53707962-6F74-2D53-2644-206D7942484F} not set C:\PROGRA~1\SPYBOT~1\SDHelper.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}

****************************************

Toolbars:

{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\System32\browseui.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}

{2318C2B1-4965-11D4-9B18-009027A5CD4F} c:\program files\google\googletoolbar1.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

{0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINDOWS\system32\SHELL32.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}

{01E04581-4EEE-11D0-BFE9-00AA005B4383} C:\WINDOWS\System32\browseui.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}

{0E5CBF21-D15F-11D0-8301-00AA005B4383} C:\WINDOWS\system32\SHELL32.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}

{2318C2B1-4965-11D4-9B18-009027A5CD4F} c:\program files\google\googletoolbar1.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F}

{4D5C8C25-D075-11d0-B416-00C04FB90376} C:\WINDOWS\System32\shdocvw.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

{30D02401-6A81-11D0-8274-00C04FD5AE38} C:\WINDOWS\System32\browseui.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}

{32683183-48a0-441b-a342-7c2a440a9478} Error when opening a registry key, the key doesn't exist. Key: HKEY_CLASSES_ROOT\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\InprocServer32

System error message: The system cannot find the file specified.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}

{4D5C8C25-D075-11D0-B416-00C04FB90376} C:\WINDOWS\System32\shdocvw.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11D0-B416-00C04FB90376}

{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} C:\WINDOWS\system32\SHELL32.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

{EFA24E61-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\System32\shdocvw.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}

{EFA24E62-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\System32\shdocvw.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}

{EFA24E64-B078-11D0-89E4-00C04FC9E26E} C:\WINDOWS\System32\shdocvw.dll

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}

****************************************

All processes:

[system Process]

System

smss.exe

csrss.exe

winlogon.exe

services.exe

lsass.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

spoolsv.exe

scardsvr.exe

netdde.exe

AOLacsd.exe

cisvc.exe

svchost.exe

HPZipm12.exe

svchost.exe

WRSSSDK.exe

explorer.exe

AOLDial.exe

xfilter.exe

hpztsb07.exe

gcasServ.exe

fts.exe

SpySweeper.exe

THGuard.exe

aoltray.exe

FilMsg.exe

AOLHostManager.exe

gcasDtServ.exe

hpohmr08.exe

AOLServiceHost.exe

dllhost.exe

mpbtn.exe

wdfmgr.exe

hpotdd01.exe

vssvc.exe

sgmain.exe

wmiapsrv.exe

AOLSP Scheduler.exe

AOLServiceHost.exe

dllhost.exe

hpoevm08.exe

sgbhp.exe

wmiprvse.exe

msdtc.exe

hposts08.exe

cidaemon.exe

spywarescanner.exe

waol.exe

shellmon.exe

aoltpspd.exe

Go here to analyse the running processes:

http://www.kephyr.com/filedb/index.php

****************************************

Internet Explorer Settings:

http://www.google.com/keyword/%s

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl\

Default_Page_URL http://www.microsoft.com

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

Default_Search_URL http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

Search Page http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

Start Page http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

SearchAssistant http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

CustomizeSearch http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

www http://

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

http://www.google.com/keyword/%s

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\

provider

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\provider

Start Page http://www.google.co.uk

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

Use Search Asst no

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search Asst

User Stylesheet

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Styles\User Stylesheet

****************************************

This is the Bazooka log the file for hosts does not open as it seems to be reg entries can't get anywhere clicking on it

[jwbirdsong]

Open any file with Notepad and then drag/drop the Host file onto the open Notepad and it should open that way also.

Would you also post fresh HijackThis log also please.

Edited December 18, 2005 by jwbirdsong

[clannie]

new Hjt log

Logfile of HijackThis v1.99.1

Scan saved at 17:54:58, on 18/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\netdde.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Voyager100Test\fts.exe

C:\Program Files\Common Files\AOL\1132916045\ee\AOLHostManager.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Common Files\AOL\1132916045\ee\AOLServiceHost.exe

c:\program files\common files\aol\1132916045\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

C:\Program Files\Common Files\AOL\1132916045\ee\AOLServiceHost.exe

C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe

C:\Program Files\AOL 9.0a\aoltray.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe

C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe

C:\WINDOWS\System32\msdtc.exe

C:\WINDOWS\SYSTEM32\cidaemon.exe

C:\Program Files\AOL 9.0a\waol.exe

C:\Program Files\AOL 9.0a\shellmon.exe

C:\Program Files\Common Files\AOL\aoltpspd.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://news.google.com/news?ned=uk&topic=n

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.google.co.uk

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Voyager100Test\fts.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132916045\ee\AOLHostManager.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"

O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O15 - Trusted Zone: http://www.airmiles.co.uk

O15 - Trusted Zone: http://www.dance-again.com

O15 - Trusted Zone: http://www.highlandradio.com

O15 - Trusted Zone: www.jacquielawson.com

O15 - Trusted Zone: www.kephyr.com

O15 - Trusted Zone: http://www.lloydstsb.com

O15 - Trusted Zone: http://www.majorgeeks.com

O15 - Trusted Zone: http://www.mcgahanlees.com

O15 - Trusted Zone: http://forums.techguy.org

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123330021234

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37460.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E3C54A89-1743-4916-84FA-1FC52185BD12}: NameServer = 205.188.146.145

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\aol\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe

O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe

Have managed to get the hosts file on to notepad but now it has too many characters so is there any other way to send it? Thanks

[jwbirdsong]

Well if there are that many character then something funky is going on with it probably. Let's take a different tact.

Go to the HOSTS file and rename it OLDhosts.

If you have problems with the rename; Right click the hosts file and make sure that ReadOnly is UNchecked

Download Hoster from here: http://www.funkytoad.com/download/hoster.zip

Press 'Restore Original Hosts' and press 'OK'

Exit Program.

HJT log looks good

Find and delete C:\WINDOWS\tempf.txt

That's where you are getting your Beehappyy.biz from. Seems you are no long infected, just a text file left over from a previous infection perhaps.

Try browsing for a while with the new hosts file, see how everything is working..if all is well I'll post some final instructions for staying clean/malware free.

[clannie]

Have now tried to attach hosts file to you hope it has workedhosts_file_from_tg_s.txt

[jwbirdsong]

Keep it....HOSTS file is just fine..it's the MS MVP hosts file..it was gonna be my next recomendation. So igonore the hoster/renaming hosts directions from above. Everything seem ok now??

[clannie]

Have now tried to attach hosts file to you hope it has workedhosts_file_from_tg_s.txt

Have not done anything about new host file from Funky toad until I hear what you think about the host file that I have just sent you.Also deleted the tempf.txt log.

Have not done anything about new host file from Funky toad until I hear what you think about the host file that I have just sent you.Also deleted the tempf.txt log.

yes everything great now no probs at all thanks for great help.Is there anything else that I need to do?or is that it for now?

Have not done anything about new host file from Funky toad until I hear what you think about the host file that I have just sent you.Also deleted the tempf.txt log.

yes everything great now no probs at all thanks for great help.Is there anything else that I need to do?or is that it for now?

Also just scanned with Bazooka it now says "nothing detected"hurrah

hosts_file_from_tg_s.txt

[jwbirdsong]

Congratulations, your log is clean.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

• * Click Start.
  * Open My Computer.
  * Select the Tools menu and click Folder Options.
  * Select the View tab.
  * Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  * CHECK the Hide protected operating system files (recommended) option.
  * Click Yes to confirm.
  * Click OK.
  

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

• 1. Turn off System Restore.
  • On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    

2. Restart your computer.

3. Turn ON System Restore.

• On the Desktop, right-click My Computer.
  Click Properties.
  Click the System Restore tab.
  UN-Check Turn off System Restore.
  Click Apply, and then click OK.
  

System Restore will now be active again.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

Make SURE to read How Did I Get Infected in the First Place??

[clannie]

Thanks jwbirdsong have done it all now and you're a star!

[RubbeR DuckY]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team

an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.