New Malware help

Discussion in 'NOD32 version 2 Forum' started by jlo, Apr 17, 2005.

Thread Status:
Not open for further replies.
  1. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi All,

    I have been using Nod32 for around a year and very happy with it. I however ran the Escan free antivirus tool (Uses Kasperky engine) and found this on my computer.

    File C:\WINDOWS\system\vbpc.dll infected by "Trojan.Win32.Agent.cs" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system\vbpc.dll infected by "Trojan.Win32.Agent.cs" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\system32\req.dll infected by "Trojan-Downloader.Win32.ConHook.b" Virus. Action Taken: No Action Taken.



    Both files are dll files and you can see the location. The VBPC file was only detected by KAV engine (Checked at Jotti scanner) but the other one was detected by more av scanners but not Nod32.

    I am sending the files to nod (password protected) with a link to this forum as I would like to know what to do? I do a lot of internet banking on my computer so would like to know how much my computer is comprimised!

    Many Thanks

    Jlo
     
  2. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Could someone move this post to the Nod32 group. Posted it in the wrong place. Sorry.

    Jlo
     
  3. Happy Bytes

    Happy Bytes Guest

    The word "Trojan" in the name is not so dangerous as it looks.
    It's Spyware. No Keylogger, no backdoor - 'only' spyware downloaders.

    So there is normally no risk for your online banking data. Kaspersky calls the spyware downloaders also "Trojan". And this Agent exists in numerous of different versions. Please send it and we'll include it.

    8^) HB.
     
  4. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks Happy Bytes.

    I have just sent them in with a link to this thread.

    BTW can I just delete these dll files or will it mess up windows XP. Should I run a hyjack log

    Cheers

    Jlo
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    req.dll won't just delete as it is installed with a hook to winlogon in xp
    C:\WINDOWS\system\vbpc.dll shoud delete it easily but i've included it in the killbox fix for easy use

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

    then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

    C:\WINDOWS\system32\req.dll
    C:\WINDOWS\system32\req.exe
    C:\WINDOWS\system32\req.dat
    C:\WINDOWS\system\vbpc.dll

    Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

    then reboot

    when it reboots

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} - C:\WINDOWS\system32\req.dll
    O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll

    and any entries relating to C:\WINDOWS\system\vbpc.dll

    reboot again

    if you don't have hijackthis already then

    go to here and download 'Hijack This!' double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis
     
  6. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks very much for your help.

    I did as instructed with the killbox exe.

    I have now rebooted. Could you just check through my hyjack log and tell me exactly what to fix.

    Many Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 19:59:50, on 18/04/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sistray.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\PCI Audio Applications\Mixer.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Picasa\PicasaMediaDetector.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system\vbpc.dll
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...38/UK/24_3d_view_my_car_pop.jsp?noreloadredir
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O20 - Winlogon Notify: vbpc - C:\WINDOWS\system\vbpc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    just these need fixing
    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system\vbpc.dll
    O20 - Winlogon Notify: vbpc - C:\WINDOWS\system\vbpc.dll

    but by the looks of it you have the new pest there that won't straight delete and the only way to fix that is to boot up using the windows cd & get into the recovery console and delete it using the dos commands no other way has been found yet

    please zip that file and send it to samples@nod32.com with a note referring to this thread

    I'm sure someone here can explain a bit better than me about using the recovery console in xp but the basics are here
    http://www.wown.com/j_helmig/wxprcons.htm

    but once yopu have booted to RC then at the c: prompt type del "C:\WINDOWS\system\vbpc.dll" and say yes to prompts

    if you haven't got a full XP cd then you will have to download the floppy set up from M$ as described
     
    Last edited: Apr 18, 2005
  8. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks again for your post.

    I tried fixing with Hyjack this but it keeps comming back :(

    I sent the files to Nod32 yesterday with a link. I would really appreciate an analysis on those files just for my peice of mind so I know what this Malware or spyware is doing on my computer.

    I think if I have to go to revcovery and dos to sort it out I will need to get a freind in to help as its to technical for me.

    Cheers

    Jlo
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    You can't delete these from inside windows as they are attached to winlogoon which starts before all the other windows processes & I'm afraid the RC is the only way

    It's a good idea to get a friend in to help though
     
  10. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks again.

    I have sent the file to KAV as well to ask them if they can give me an analysis of what the file does.

    Will report back with any replies.

    Guess I will have to get the old windows XP home disk out!!!

    Cheers

    Jlo
     
  11. Happy Bytes

    Happy Bytes Guest

    Did somebody tell this poor guy that he has to CLOSE all Internet Instances - OTHERWISE THIS COMES BACK ALL THE TIME!

    That means if you have a browser window still open during fixing this IT WILL NOT WORK!
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Mike when you look inside the files you see the protection this pest has inbuilt to it, that's why it needs RC to delete it and only then can you fix the reg entries with HJt
     
  13. Happy Bytes

    Happy Bytes Guest

    I dont have the files here yet :(
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I sent them to you on 14th to your personal email address

    webjava.zip it's the same file they are using semi random file names it's a new vundo version virtumonde adware pest
     
  15. Happy Bytes

    Happy Bytes Guest

    hm... let me check... do you mean this one?
     

    Attached Files:

    • web.jpg
      web.jpg
      File size:
      24.9 KB
      Views:
      1,167
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    well I don't read cyrillic but that is the right name and it was 368k when it left here but with IE overheads I suppose 486 would be right
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Mike I've sent you a new email with 2 slightly different versions and the req.dat file as well
    the file name is aardvak.zip
     
  18. Happy Bytes

    Happy Bytes Guest

    Ok. but i take a look at it tomorrow, it's already past midnight.
     
  19. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    I have sent in my files again and asked them to be fowarded to happy bytes and linked this thread.

    Hi,

    Please foward this on to HappyBytes as requested at https://www.wilderssecurity.com/showthread.php?t=75902

    Many Thanks

    Jlo
    The zip file is 'help.zip' and password 'infected'

    Many Thanks

    Jlo
     
  20. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Nod32 now detects this trojan but can't do anything with it as we expected.

    Time Module Object Name Virus Action User Info
    19/04/2005 07:57:18 AMON file C:\WINDOWS\system\vbpc.dll Win32/Agent.CS trojan NT AUTHORITY\SYSTEM


    Unfortunatly as soon as my computer fires up this is the message I get. I cant quaratine or delete it!

    Is there any chance of a tool being made to help me rid this virus or is the only only way to use the windows XP disk and dos comands.

    If so I sould very much appreciate if someone could give me step by steo instructions onhow to do this.

    Also if anyone could tell me what the virus does I would be much appreciated.

    Cheers

    Jlo

    PS Untill I sort it I will have to keep Amon diactivated.
     
  21. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The only way to remove it is to use the windows CD and boot to a dos prompt

    It is NOT fixable from inside windows
     
  22. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Thanks for all the help so far. You are a life line!

    Well Ok this is as far as I got.

    Managed to change my bios setting to boot from CD disk.

    Put in my Home eddition XP disk

    Booted up in to windows recovery console as per instruction but get to the screen which where it says 'which installation do you want to log on to'

    Click 1 as suggested in the instruction and then you need to put in the adminstrator password. Now I am the adminstrator and know the password but it does not accept what I put in? It just says incorrect password 3 times and then reboots.

    I went on to load up windows and checked I am still the administrator and my password works to log on to the computer but not through dos.

    Any ideas?

    Cheers

    Jlo
     
  23. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Success. Many Thanks to all. To get past the adminstration password I just had to click the space bar.

    That nasty agent trojan has gone.

    I rescanned with KAV and now I just have this one which I think is adware


    File C:\WINDOWS\system32\req.dll infected by "Trojan-Downloader.Win32.ConHook.b" Virus. Action Taken: No Action Taken.

    and is not detected by Nod.

    Could you also have a look at my hyjack this and advice whether just to delete the file?

    Many Thanks

    Jlo
     
  24. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Logfile of HijackThis v1.99.1
    Scan saved at 19:30:38, on 19/04/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sistray.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\PCI Audio Applications\Mixer.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Picasa\PicasaMediaDetector.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\DOCUME~1\JAMESL~1\LOCALS~1\Temp\mwavscan.com
    C:\DOCUME~1\JAMESL~1\LOCALS~1\Temp\kavss.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st800\DSLMON.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...38/UK/24_3d_view_my_car_pop.jsp?noreloadredir
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{156246A4-1F5C-41A9-9A05-CAF87970BCD3}: NameServer = 212.74.114.129 212.74.114.193
    O17 - HKLM\System\CS1\Services\Tcpip\..\{156246A4-1F5C-41A9-9A05-CAF87970BCD3}: NameServer = 212.74.114.129 212.74.114.193
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
     
  25. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

    then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

    C:\WINDOWS\system32\req.dll
    C:\WINDOWS\system32\req.exe
    C:\WINDOWS\system32\req.dat

    Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

    then reboot
     
Thread Status:
Not open for further replies.