Sponsored By

sari

Members
  • Content Count

    105
  • Joined

  • Last visited

Everything posted by sari

  1. sari

    Paypal Problem (resolved)

    tman70, Well, nothing is showing there. I'm going to have you run scan that is similar to the combofix I had you run, but should be more detailed. Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close all other windows before proceeding. Double-click on dss.exe and follow the prompts. When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Thanks, sari
  2. I am going to suggest you try the Kaspersky online scanner http://www.kaspersky.com/virusscanner Click on the thing with the magnifying glass at upper left. It will only identify (not remove) the infection but it will help the guys in the security and hijack forum to help you. Just for the record, I cannot find any info on this other than on 2 blogs. I've searched Kaspersky's site, Webroot's site, and many other legitimate sites that we commonly use to investigate malware, etc. I'm not sure of the origin of this particular story. Every other reference for snakeoil.dom that I can find is related to Apache servers. Since the blog you quoted was from May 14 of this year, if this were an actual virus there should be information on the major antivirus and malware sites by now. If someone can find this on a legitimate site they can point me to, that would be great, but at this time I'm assuming that this some sort of hoax. sari
  3. sari

    Paypal Problem (resolved)

    tman70, We'll get rid of the key, but since that file seems to be gone, I don't think it's the issue. I'm trying to do some research on other ways to get rid of this. In the meantime, I want you to run a rootkit scanner. Download GMER from here: http://www.gmer.net/files.php Unzip it to the desktop. Open the program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’. Click on Scan. When the scan has run click Copy and paste the results (if any) into this thread. Thanks, sari
  4. sari

    Paypal Problem (resolved)

    tman70, I believe that's telling me that file no longer exists - there's a registry entry pointing to it, but the file itself is gone, which is a good thing (except I would have like to have known what it was!). The attributes were hidden because it was a hidden directory - even though you had unhidden everything, the attributes would remain the same. Are you still having the redirections on secure links? sari
  5. sari

    Paypal Problem (resolved)

    tman70, Show Hidden Files * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. I'd like you to see if you can find the following file: C:\SysMa2\svchost.exe If so, please do the following: Right click on the folder - c:\SysMa2 - and select Send to Compressed Folder. It will create a zipped folder in the same directory. Please go to Uploadmalware to upload a suspicious file for analysis. Enter your username from this forum Copy and paste the link to this thread Browse for the zipped folder you just created in c:\SysMa2 In the comments, please mention that I asked you to upload this file Click on Send File The combofix program did clean some files up - you had an email trojan. However, I don't like the looks of that above entry, and I'd like to get it analyzed if possible. Thanks, sari
  6. sari

    Paypal Problem (resolved)

    tman70, Ok, that one is clean. Let's try a more generalized scan that will show me more files. 1. Download ComboFix.exe using either of these links: * bleepingcomputer.com * techsupportforum.com 2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Thanks, sari
  7. sari

    Hijackthis Log

    Double_D_Edd, Hi, and welcome to the Besttechie forums. It looks like you've caught a case of Vundo, so let's get you cleaned up. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Thanks, sari
  8. sari

    Paypal Problem (resolved)

    tman70, There's not much jumping out at me in your log, except for maybe some leftovers, but let's run some things and see if anything comes up. Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Thanks, sari
  9. sari

    My Hijackthis Log

    Moonastar, Hi, and welcome to Besttechie. You do indeed have some problems in your log, but I need a little more information before I can help you. The top of your hijackthis log was cut off, and i need to see that information. It should look something like this: Logfile of HijackThis v1.99.1 Scan saved at 1:48:59 PM, on 6/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) If you could please put that information in a reply to this thread, then I can move ahead with helping you. Thanks! sari
  10. sari

    My First Crack At Sushi

    Sushi is the best!
  11. sari

    Very Sluggish Computer[RESOLVED]

    jplink, Hi, and welcome to Besttechie. I need you to re-enable everything in msconfig and post a new hijackthis log. If you have malware, you may be hiding it, and I need to see everything that normally starts up. Thanks, sari
  12. sari

    Infected Laptop[RESOLVED]

    Whiskeyman, That looks a lot better, but your Java version is very out of date, which still leaves this laptop vulnerable. You need to update (you can do that via the Java control panel), as well as uninstall any older versions. You should be able to update XP SP2 now as well. Finally, did you change security settings in IE? I ask because of this line: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present This often present with a protection program such as Spybot Search and Destroy's Teatimer, which I don't see, but I figured you may have restricted the security settings in order to provide more protection. sari
  13. sari

    Infected Laptop[RESOLVED]

    I know you're whiskeyman at Geeks to Go, and you have access to everything there. I don't know if you recognized that you had an sdbot infection and should have run sdfix. Did you not really want help with the logs? I'm a little confused, and don't really know what's left on there since I don't really know everything that you did.
  14. sari

    Infected Laptop[RESOLVED]

    TheTerrorist_75, I'm currently reviewing all your logs, and will be posting something soon. For the most part, the infections are PC-wide, so we can run the fixes on user only, which will help with the process. There is purityscan on one user only, which will have to be addressed separately. Keep your eyes open for my next reply. sari
  15. sari

    Microbillingsystems

    shortfuse, Hi, and welcome to the Besttechie forums. I apologize for the delay in responding to your thread. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\mbssm32.exe Now close all windows other than HiJackThis, then click Fix Checked. Please download the Killbox by Option^Explicit. Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button. [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): c:\windows\system32\mbsrm32.exe C:\WINDOWS\system32\mbssm32.exe [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard. [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If your computer does not restart automatically, please restart it manually. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work. Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send If it wants to install an ActiveX component allow it Select either Home User or Company Click the big Scan Now button It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. Please go HERE to run Panda's ActiveScan - you must use Internet Explorer for this to work. Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send If it wants to install an ActiveX component allow it Select either Home User or Company Click the big Scan Now button It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. Please post the Activescan report and a new hijackthis log in your reply. Thanks, sari
  16. sari

    Downloader.agent.awf And Others

    rmurphy7817, Hello, and welcome to Besttechie. Your log is actually clean, and I don't see the tell-tale signs of AWF. Just to be on the safe side, though, I'd like you to repeat the scan in safemode using the following directions, and then post the log from the AVG Anti-Spyware scan so I can see what it finds. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess: Lauch AVG Anti-Spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan. Thanks, sari
  17. sari

    Hijackthislogfile.8/14/06

    spikeq1love, Let's answer your questions first: O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll <== related to Java (which is out-of-date; I'll provide instructions on updating it). O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL <=== related to Microsoft office O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll <== This has to do with Windows Genuine Advantage, which is a program to verify the authenticity of your Windows version. O4 - HKCU\..\Run: [spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan <== This program is generally considered to be a rogue program due to aggressive advertising and false positives. You can read more about it here. This would be my recommendation for your log: Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O3 - Toolbar: (no name) - {E947A403-B614-4FA8-B9E7-E790F0BDC87E} - (no file) O4 - HKCU\..\Run: [spyware Begone] "C:\spywarebegone\SpywareBeGone.exe" -FastScan Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode. Delete the following folder: C:\spywarebegone Reboot into normal mode. 1. Go to Start > Control Panel. 2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot. After reboot, go back into the Control Panel and double-click the Java icon. 3. Under Temporary Internet Files, click the Delete Files button. There are three options on this window to clear the cache - leave ALL 3 checked: 1. Downloaded Applets 2. Downloaded Applications 3. Other Files 4. Click OK on Delete Temporary Files window. Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. 5. Click OK to leave the Java Control Panel. sari
  18. sari

    My Friends Hijack Log

    mainter, Hi, and welcome to Besttechie. Your friend does indeed have a few problems, so let's get started. It will take multiple steps to get this cleaned up, so please stay with me until we're finished. 1. Download Ewido anti-spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete, run Ewido and update the definition files. On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. [*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. [*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine". [*]Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close Ewido anti-spyware, Do Not run a scan just yet 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! 4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter. 5. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess: Lauch ewido-anti-spyware by double-clicking the icon on your desktop. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". ewido will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important) Close Ewido and reboot your system back into Normal Mode. 6. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. Please include both of the above-mentioned logs in your reply. Thanks, sari
  19. sari

    New User Hijack Log

    romeo, I'm glad we got you straightened out - we try to avoid re-formatting whenever possible. I would suggest getting something like spywareguard or spywareblaster, which will provide better protection against unexpected downloads than an anti-virus alone will. I would also recommend using something like Firefox as your browser - I've been using it for a while now, and I'm very impressed with it, and it will also provide more protection against Activex controls and popups. sari
  20. sari

    New User Hijack Log

    romeo, It looks like we finally got it! Your log is clean now Here are some tips to reduce the potential for spyware infection in the future. I strongly recommend installing the following applications: Detect and Remove Programs: How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. Prevention Programs: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. Other necessary Programs: AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have. Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs. More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well. And also see TonyKlein's good advice So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it. sari
  21. sari

    New User Hijack Log

    romeo, Well, the good news is that the entries are no longer in your hijackthis log. Please delete the following files: C:\WINDOWS\SYSTEM32\CSFAS.EXE C:\WINDOWS\SYSTEM32\DMHZB.EXE Also, look in your c:\windows\system32 directory and delete anything that looks like this: {AB48B2C9-9B9C-4CFB-A482-5DC00DDFFDDB}.exe {920B2EB2-7E96-47A2-8F3B-61445E3645A0}.exe Then run the wareoutfix again (I hope it's the last time) and post that and a new hijackthis log. sari
  22. sari

    New User Hijack Log

    romeo, Ok, we are making progress. Let's kill the remaining files, and then delete the lines from hijackthis. Please download the Killbox by Option^Explicit. Note: In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select: Delete on Reboot then Click on the All Files button. [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): {5E3CCD7B-B470-4F31-86FE-017DEBF813FB}.exe {0F7A4563-5753-4093-B22C-3B1882069AD8}.exe {8F75451D-5608-43D8-98A9-617A809271B1}.exe C:\WINDOWS\SYSTEM32\CSFGF.EXE C:\WINDOWS\SYSTEM32\CSJHE.EXE C:\WINDOWS\SYSTEM32\CSKRY.EXE C:\WINDOWS\SYSTEM32\CSSVN.EXE C:\WINDOWS\SYSTEM32\DMATV.EXE C:\WINDOWS\SYSTEM32\DMOTK.EXE C:\WINDOWS\SYSTEM32\DMRYJ.EXE C:\WINDOWS\SYSTEM32\DMUFV.EXE C:\WINDOWS\System32\xputt.exe C:\WINDOWS\System32\WinStat13.dll [*] Return to Killbox, go to the File menu, and choose Paste from Clipboard. [*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If your computer does not restart automatically, please restart it manually. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll O4 - HKLM\..\Run: [xputt.exe] C:\WINDOWS\System32\xputt.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{39CBBE5C-CE35-4709-B44D-50547B566A60}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DC122E3-FB03-4F71-BC6D-15EE27DB6307}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{B821443B-D772-4392-A6BF-28E93BD36F8D}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{BE212EC9-633A-4F08-B53D-5E6D1460AD58}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD1FB58-9EDC-47F8-9A4B-22C01ADD893A}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126 Now close all windows other than HiJackThis, then click Fix Checked. Now please run the wareoutfix one more time and post both logs here. Thanks, sari
  23. sari

    New User Hijack Log

    romeo, Go to Start > Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the below services: System Startup Service (SvcProc) When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok. Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name): SvcProc Click OK. It should pull up information about the service, then ask if you want to reboot. Click YES. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O4 - HKLM\..\Run: [xputt.exe] C:\WINDOWS\System32\xputt.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{39CBBE5C-CE35-4709-B44D-50547B566A60}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{7DC122E3-FB03-4F71-BC6D-15EE27DB6307}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{B821443B-D772-4392-A6BF-28E93BD36F8D}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{BE212EC9-633A-4F08-B53D-5E6D1460AD58}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD1FB58-9EDC-47F8-9A4B-22C01ADD893A}: NameServer = 85.255.116.54,85.255.112.126 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126 Now close all windows other than HiJackThis, then click Fix Checked. Find and delete the following files from C:\windows\system32: {E4D3380B-F974-49AF-A5AD-1190EEBA5E48}.exe {3AF73241-E865-43ED-8059-F9B20158DBDA}.exe {AFC73B00-6E74-40DE-AD7E-BE3A7CE9A7F6}.exe {E96232F5-765B-4BCB-A828-0E786D3A0DAE}.exe {7E09D562-435E-4463-A1D7-2668714F53DC}.exe {89B5AA3D-4B64-4433-802F-D082867662A5}.exe {675504CA-43E2-49AD-A5A2-F9DCFC9E4849}.exe {91A8AEB5-D035-43ED-8054-1324B135307F}.exe {BBE7D690-364C-4FF0-9459-DF992AA9158C}.exe {6BC6E451-E5FB-4992-9101-099BFEF46681}.exe {AC00109A-CB1E-4768-A198-0B10A8577C58}.exe {D11AD900-96F4-4C37-81DF-EEE33486481D}.exe {85249207-3CD1-4D7D-815E-6852381FC3AC}.exe {F032A19D-E85F-45A2-A609-8239946F2368}.exe {4515CDB5-CD48-4EEC-8C0C-70E072944CAF}.exe {62A21570-35BC-4E7C-9F1D-396DF448A060}.exe Now run fixwareout again, and post the log from that as well as a new hijackthis log. Thanks, sari
  24. sari

    New User Hijack Log

    romeo, You have a newer variant of wareout - I'm reviewing information on how to fix it, and will post back shortly. sari
  25. sari

    Happy Birthday Besttechie!

    HAPPY BIRTHDAY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!