Problems with yoogee...please help!

Discussion in 'adware, spyware & hijack cleaning' started by sukhi, May 9, 2004.

Thread Status:
Not open for further replies.
  1. sukhi

    sukhi Registered Member

    Joined:
    May 9, 2004
    Posts:
    7
    Hi group !!

    I am getting serious hedaches due to this yoogee.com This website or parasite is not allowing me to open my web pages and I am losing a lot in my development work.

    If any of you could help me.. it would be very nice of you !!!

    Here is the hijack.exe log file .....

    Logfile of HijackThis v1.97.7
    Scan saved at 3:38:04 PM, on 5/9/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\svohost.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\WINNT\system32\window.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Documents and Settings\rrd.IMSRRD42\Desktop\EditPlus 2\editplus.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Documents and Settings\administrator\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\z06qb92k.slt\prefs.js)
    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem216.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [System Rustare] C:\WINNT\svohost.exe
    O4 - HKLM\..\Run: [ytqfyjuv] C:\WINNT\ytqfyjuv.exe
    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
    O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
    O4 - Startup: YahooPOPs.lnk = C:\Program Files\YahooPOPs\YahooPOPs.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\Iesearch.exe
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{35B07373-FA10-45FB-9D7D-58ED55B9CDC0}: NameServer = 203.124.136.19,202.54.1.18
    O17 - HKLM\System\CS2\Services\Tcpip\..\{35B07373-FA10-45FB-9D7D-58ED55B9CDC0}: NameServer = 203.124.136.19,202.54.1.18
    O17 - HKLM\System\CS3\Services\Tcpip\..\{35B07373-FA10-45FB-9D7D-58ED55B9CDC0}: NameServer = 203.124.136.19,202.54.1.18

    waiting for your replies....

    Regards,
    Steve
     
    sukhi, May 9, 2004
    #1
  2. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hello,

    Your post and my answer are going to be moved into a new thread. Having more than one person's hijackthis log in a thread can get confusing. The mod will let you know where it goes. Post has been moved to it's own thread, so disregard the previous statement.

    You need to update your antivirus and do a full system scan because there is one your system. Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/virusinfo/virusscan.aspx to verify it is removed.
    Here is info on the virus you have: http://securityresponse.symantec.com/avcenter/venc/data/trojan.mitglieder.h.html




    You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Right click on an empty part of your desktop and select "New" from the menu, then select"Folder". Name the folder Hijackthis or whatever you want. Place Hijackthis inside of this new folder.
    Then restart the computer if it hasn't been done so already, because Spybot needs that to be done to finish cleaning.




    Check the following items and then close all windows except hijackthis and click "fix checked". Some of the items may not be present after cleaning the virus and having Spybot finish


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem216.dll

    O4 - HKLM\..\Run: [System Rustare] C:\WINNT\svohost.exe

    O4 - HKLM\..\Run: [ytqfyjuv] C:\WINNT\ytqfyjuv.exe

    O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe

    O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\Iesearch.exe



    Then restart the computer and find the following to delete:

    C:\WINNT\svohost.exe <--- delete file Note spelling, not the valid svchost.exe and in wrong directory

    C:\WINNT\ytqfyjuv.exe <--- delete only file

    C:\WINNT\alchem.exe <--- delete only file

    C:\WINNT\system32\window.exe <--- should be gone after virus clean up, if still present, rescan with antivirus


    After doing all of the above, post a new hijackthis log.






    Note, you need to update Windows 2000 to service pack 4. This can be accessed by going to http://v4.windowsupdate.microsoft.com/ and following the prompts.
     
    Last edited: May 9, 2004
    Nick, May 9, 2004
    #2
  3. sukhi

    sukhi Registered Member

    Joined:
    May 9, 2004
    Posts:
    7
    Hello Nick,

    Thank you very much for all the help.... but the problem of this yoogee.com still persists....

    1) I have updated the Antivirus scan and then run the complete scan of the computer.

    2) I have "fix checked" the items listed by you.

    3) I have updated the Windows2000 to service pack4 and other updates also.

    4) I have also deleted the files as you suggested.

    "*****Re: C:\WINNT\system32\window.exe <--- should be gone after virus clean up, if still present, rescan with antivirus ****"

    This file "window.exe" is still present after the antivirus scan.

    ----------------------

    I am attaching the log file of hijackthis.exe created after restarts and after following these processes.....

    Logfile of HijackThis v1.97.7
    Scan saved at 2:31:24 PM, on 5/12/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\ICQ\ICQ.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msbb.exe
    C:\Program Files\YahooPOPs\YahooPOPs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\administrator\Desktop\hijack this\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\z06qb92k.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\z06qb92k.slt\prefs.js)
    O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\system32\bridge.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem216.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
    O4 - HKLM\..\Run: [msbb] c:\docume~1\admini~1\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [fsd] C:\WINNT\fsd.exe
    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
    O4 - Startup: YahooPOPs.lnk = C:\Program Files\YahooPOPs\YahooPOPs.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38118.9862037037
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{35B07373-FA10-45FB-9D7D-58ED55B9CDC0}: NameServer = 203.124.136.19,202.54.1.18
    O17 - HKLM\System\CS2\Services\Tcpip\..\{35B07373-FA10-45FB-9D7D-58ED55B9CDC0}: NameServer = 203.124.136.19,202.54.1.18
    O17 - HKLM\System\CS3\Services\Tcpip\..\{35B07373-FA10-45FB-9D7D-58ED55B9CDC0}: NameServer = 203.124.136.19,202.54.1.18


    Looking forward to hear from you sooon !

    Thanks & Regards,
    Steve :'(
     
    sukhi, May 12, 2004
    #3
  4. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Hi again, Did Norton or the online scans say anything about what they found? Do a scan again with the latest update and see whatNorton finds. If it doesn't find it, perhaps it is a new varient that you have gotten, and you should contact Symantic about it.
    By the way, Windows 2000 doesn't have System Restore, so we can rule that out.


    You also got some new malware files. Check these and close all windows except hijackthis and click "fix checked"

    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll

    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINNT\system32\bridge.dll

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem216.dll

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load

    O4 - HKLM\..\Run: [msbb] c:\docume~1\admini~1\locals~1\temp\msbb.exe

    Then restart and find:


    C:\WINNT\system32\bridge.dll <-- delete file

    c:\docume~1\admini~1\locals~1\temp\msbb.exe <--- delete file

    Enable hidden files if you can't find them. http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5




    I don't have any info on this one. Can you find the file on your system and right click on it and select properites. Then post what they are.
    O4 - HKLM\..\Run: [fsd] C:\WINNT\fsd.exe


    Post back with a new HJT log and let us know how it is going.


    I would recommend the following to help keep you from getting infected again.

    Protection - download and install:

    SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

    IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

    Both are very small free programs that you run once, and then just occasionally run to check for updates.

    And also see how did I get infected
     
    Nick, May 12, 2004
    #4
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    dvk01, May 12, 2004
    #5
  6. sukhi

    sukhi Registered Member

    Joined:
    May 9, 2004
    Posts:
    7
    Please dont hide the post as I am suffering a lot due to this yoogee.com and the answers to my questions are also being given by "SPYWARE FIGHTER" Nick.

    If you can help me out with this, it will be really appreciated.

    Thanks & Regards, :(
    Steve
     
    sukhi, May 13, 2004
    #6
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Sukhi

    follow Nicks advice and then post a new log and we'll see what else needs doing

    the hidden/removed post was not relevant to your problem in the slightest
     
    dvk01, May 13, 2004
    #7
  8. sukhi

    sukhi Registered Member

    Joined:
    May 9, 2004
    Posts:
    7
    Yooogeee Removed .....

    Thank you very very much ....... Hurray !!!!!!!!!!!!!!
    It's done..... after following your last advise... it's removed from my computer
    and I have also installed the "SPYWAREBLASTER" for future....

    I really appreciate all the help that I got through this Forum... You guys are really wonderful !

    Thanks once again,
    Steve :)
     
    sukhi, May 13, 2004
    #8
  9. Nick

    Nick Registered Member

    Joined:
    May 14, 2002
    Posts:
    187
    Location:
    California
    Re: Yooogeee Removed .....

    Thats good to hear.

    You wouldn't happen to have looked up that fsd.exe and gotten some info on it?
     
    Nick, May 13, 2004
    #9
  10. sukhi

    sukhi Registered Member

    Joined:
    May 9, 2004
    Posts:
    7
    Hi Nick,

    I checked the properties of fsd.exe and it says :

    Type of File : Application

    Description : fsd

    Size : 92 kb

    Created : Wednesday, May 12, 2004, 12:01:16 PM

    Accessed : Today, May 14, 2004, 11:30:10 AM

    Attributes : HIDDEN

    Location : C:\WINNT

    I hope this may help you to decide what this file is....!!

    Thanks,
    Steve
     
    sukhi, May 14, 2004
    #10
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Sukhi

    I think we need to have look at that file

    zip it up and send to me

    submit@thespykiller.co.uk with a short note referring to this thread

    I'll let you know what it is and how to fix it if it needs fixing
     
    dvk01, May 14, 2004
    #11
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Sukhi

    I got the file it's N-Case 180 parasite that causes pop ups etc

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKLM\..\Run: [fsd] C:\WINNT\fsd.exe


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINNT\fsd.exe




    Edit:

    Just a short comment

    I love the way it says inside the file amongst the other rubbish

    "The system has detected that a third-party application has removed n-CASE , possibly without your consent. This may cause some programs not to run as expected"

    As if it doesn't stealth install itself without your knowledge and consent, the cheek of these parasites is beyond belief :p
     
    Last edited: May 14, 2004
    dvk01, May 14, 2004
    #12
  13. sukhi

    sukhi Registered Member

    Joined:
    May 9, 2004
    Posts:
    7
    Hi...

    I was receiving this message in a small window.. but i kept ignoring that..

    "The system has detected that a third-party application has removed n-CASE , possibly without your consent. This may cause some programs not to run as expected"

    Now, i have followed the instructions and my PC is as clean as it was before...

    Thanks once again...

    Steve
     
    sukhi, May 15, 2004
    #13
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...