coltm4carbine

try this: go to add/remove programs and look for Multimedia Keyboard Driver. If you see it then you know it's legit- if you don't then...oh dear. my 2 cents anyway.

it's poop because antiviruses hardly gets rid of this vundo (Most don't anyway-symantec says it can't repair it) thats why you need a proper tool designed for it. the tool is vundo fix. for anyone that replies to his log watch out for an o2 MSEvents Object with a random filename. also look out for an o20 with the same random filename.

kk post a HJT log- i got some good old programs for it.

i use it, most of the time :) rock on for google!

got a log from your antiviruses?

gtg soon. have you ever updated your windows? Please submit the following file to one of these online file scanners. C:\WINDOWS\kl.e3e (CAUTION - executable file) Jotti File Scan VirusTotal File Scan This will produce a report after the scan is complete, please copy and paste those results in your next post with the results of the scan below. cos i gtg soon run this so i will be able to see the report when i log on tomoz (hopefully). I need you to download ]MWav to a convenient location. This scan might take around 3+ hours to finish when set to scan everything. I need you to run MWav by double-clicking on mwav[Caution: ExecutableFile]. Put a check next to the below items before scanning: [*:dcoy3mts]Memory [*:dcoy3mts]Startup Folders [*:dcoy3mts]Drive - All Local Drives [*:dcoy3mts]Folder - then click "browse" to change the directory to C: (default is C:\Windows) [*:dcoy3mts]Registry [*:dcoy3mts]System Folders [*:dcoy3mts]Services [*:dcoy3mts]Include Sub-Directory [*:dcoy3mts]Scan All Files Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete. **NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete. On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

something is running on your system that shouldn't be but i can't seem to see it in the log. Open HijackThis, click Config, click Misc Tools Click "Open Uninstall Manager" Click "Save List" (generates uninstall_list.txt) Click Save, copy and paste the results in your next post if i can't figure out whats the prob i might have to use the canned fix for smitfraud.c. it might not work (doubt it) but it is gonna be worth a try. lets see if i can find out whats wrong first. *edit* kk seen the screenshots now. i might get you to use BFU or killbox or delete it on reboot.

My computer is still very slow and I'm unable to select my background. Remember that I couldnt delete this file?? Code: Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\kl.e3e (CAUTION - executable file) Maybe it's the trouble maker.. Don't know. I didn't turn off the system restore while running the cwshredder. Did I have to? No you did not have to. If it was CWS it would of got deleted/ fixed - unless you haven't updated it. go to add/remove programs and list all the wierd things that you haven't seen before.

Js Wonka is the name (McAfee). Still don't know his path though- the problem might of been sorted. nope swizzor would be detected as the Adware-Lop by McAfee. for those who are wondering the most common (and easiest) way to get swizzor/ lop.com infections from downloading MSN Messenger plus. In the small print there is a small paragraph about advertisments from lop.com. <- always read the small prints.

This is needed to download things off fileplanet.com. Without it, nothing will download. opps my bad I had too stay up quite late to see his reply, It shouldn't matter too much because o16s are all active x objects. If they will be needed again then all you have to do is to redownload it. If you cannot redownload it for any reasons you can always restore the entry. just shows how important it is to move HJT into it's own folder... ok back to business- canned for restoring HJT backups. To restore the backups: [*:bk3c2cuj]Open HiJackThis [*:bk3c2cuj]Click Open the Misc Tools section [*:bk3c2cuj]Click the Backups button [*:bk3c2cuj]Place a check mark next to O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab [*:bk3c2cuj]Click Restore [*:bk3c2cuj]Click Yes [*:bk3c2cuj]Reboot your computer [*:bk3c2cuj]Re-open HiJackThis and post a new logfile for review.

hows ur pc now? ewido should of cleaned out most (if you have rebooted). Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items (if found), then click fix checked. O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F28B19E0-2F1A-4189-97C7-CF3FDED1F881}: NameServer = 194.126.115.18 194.126.101.34 <- If you see entries for this and do not recognize the domain as belonging to your ISP or company, and the DNS servers do not belong to your ISP or company, then you should have HijackThis fix it. info about the o17: Registrant: Elion Ettevtted Aktsiaselts (end. AS Eesti Telefon) Hobujaama 4 Tallinn 15033 TEL 639 7213 FAX 639 7341 Domain Name: estpak.ee Contacts: Andres Kepler [email protected] can you update your windows? if you can do it.

oh god no.... i hate it when things like these happen... yeh i know what you mean. haven't even got my sandwich out of my fridge yet and this happened... run the scans and i see what to do next. btw the background, i think, is caused by spysheriff.

ok so your telling me you deleted them manually? (i got a canned fix for spysheriff) post a new HJT log... i take a look at the scan results after i have some sandwiches... apparently you have a CoolWebSearch infection. Download CWShredder ]here to its own folder. Update CWShredder * Open CWShredder and click I AGREE * Click Check For Update * Close CWShredder Boot into Safe Mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows. then: Please download ewido security suite it is a trial version of the program. [*:26m3tbph]Install ewido security suite [*:26m3tbph]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". [*:26m3tbph]Launch ewido, there should be an icon on your desktop double-click it. [*:26m3tbph]The program will prompt you to update click the OK button [*:26m3tbph]The program will now go to the main screenYou will need to update ewido to the latest definition files. [*:26m3tbph]On the left hand side of the main screen click update [*:26m3tbph]Click on StartThe update will start and a progress bar will show the updates being installed. Once the updates are installed do the following: [*:26m3tbph]Click on scanner [*:26m3tbph]Make sure the following boxes are checked before scanning: [*:26m3tbph]Binder [*:26m3tbph]Crypter [*:26m3tbph]Archives [*:26m3tbph]Click on Start Scan [*:26m3tbph]Let the program scan the machine While the scan is in progress you will be prompted to clean files, click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save report [*:26m3tbph]Click Save report [*:26m3tbph]Save the report to your desktopReboot your machine and post back a new HJT Log and the Ewido Scan .txt Log file you saved by using Add Reply

yeh but i never ever trust them. well see if that works if it does then cangrat! you might wanna see if you have any updates to do- it shouldn't of gone into ur comp in the first place. least your desktop didn't get hijacked fully if it did it would of been a real pain to remove.

D'OH! I was afraid of that :roll: ok nvm then i knew it was a bad idea telling you the bad line sooo early.... if it was the smitfraudc you need a fix for the reg on top of that.... ok post a new log and the scan results so we can see what else still needs to be fixed :roll: *edit* ok still post a new hjt and the scan logs. i got a bad feeling this might take a bit longer than planned....

yeh it should be a trojan but i need the scan results :) looking forward to it (hope it comes clean)

where are the results from the online scan? can u post a screen shot about the message. I heard about this a few months ago at the McAfee forums but i can't seem to find the posts...

you ran HJT in safemode? if you did i need one in normal mode.

i can see at least one bad O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp754A.tmp have you ran your avg? and has your destop been hijacked? that line is like the smithfraud.c (infact the cslid is, as for the filename thats random) http://www.sophos.com/virusinfo/analyses/trojpuperg.html run your avg then run these to double check if it is the smitfraud. Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply) +++++ If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro. does your desktop look like this by any chance? http://img45.imageshack.us/my.php?image=adwaresmitfraudimg13ni.gif

Please can you extract all your HiJack this files to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible. then post a new log. BTW not desktop. is your AVG up-to-date? if not then update it and scan it in safemode. Trojan.Zlob.D Trojan

hi, post a hijackthis log- i take it your desktop has been hijacked. Spyaxe IS a desktop hijacker.... don't download it- its gonna give you a lot more problems. and it's a rogue.

Backdoor.Prorat Virus. This Trojan allows attackers to access your computer, stealing passwords and personal data. ok, try the online scan again- bit supprised avg didn't find the rest. see if online scans can get rid of them. panda+ trend should fix them up. Use TrendMicro +++++ If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro. For housecall/ trendmicro follow the prompts to scan your hard drive for viruses. Select the "Autoclean" option so that Housecall will remove any viruses from your system. When the scan is finished, please restart your computer. Then please run the Panda scan here: http://www.pandasoftware.com/products/a ... ncipal.htm Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and restart your computer. post the results here.

yeh you will have to be careful with rogue antispyware programs. Rogue gives you pop-ups/ adware/ spyware and loads of false possitives. if a pop up tells you to buy a product don't. the worst thing is a reformate. btw a typo in my last post.

ccleaner is good/safe. i did use it but now i use cleanup! more often. you might get a little problem after running it (images not showing on some forums- but thats fixable just wait for a few days).

tell him to check for an update and update it?