PDA

View Full Version : How to get rid of trojan?


sandygrimm
21-10-08, 11:55
I scanned and cleaned my computer 3 times..and it's still in there.
at least so it seems. I have NOD32 daily updated

1. how can i be sure it's gone?
2. how to get rid of it.

Titanium
21-10-08, 11:58
How do you know you've got a trojan? Has NOD32 been saying you've got one?

sandygrimm
21-10-08, 12:02
yes..and my windows antivirus or whatever that is

Titanium
21-10-08, 12:07
Have you tried scanning and cleaning the computer in safe mode?

If you have and it's still there, then run ardiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) and post the results here, and Esconder the genius he is will go through it and let you know what he finds. :)

sandygrimm
21-10-08, 12:09
how to scan in safe mode?

Titanium
21-10-08, 12:14
Reboot your computer and hold down F8, which will then bring an advanced options menu. Choose Windows Safe Mode.

sandygrimm
21-10-08, 12:29
OK, but when I wanted to restart I got this
I don't know what program it is..it doesn't show up anywhere ( not even in Task manager) :confused:
http://i34.************/okv01s.jpg

Titanium
21-10-08, 12:42
That appears to be a Program name of a well known Rogue Anti-Virus which is actually a trojan.

There are many websites with solutions of how to remove it. But I would suggest waiting for Esconder or another tech support person to come online and give you the safest solution.

sandygrimm
21-10-08, 13:29
well I scanned it in safe mode, but it didn't show up anything, I reentered normal mode and " My computer may be at risk" and NOD showed to submit some suspicious files..and now I tried to upload a picture or save one and I can't :| ( this is getting scary )
OMG I"M IN TROUBLE !! FAST HELP PLEASE
it's starting to shut down small programs. it won't let me access certain things.
after a while of opening the PC this pops up
http://i37.************/15fhoh0.jpg

than things stop working..can't upload/ download images, can't reconnect internet unless rebooting. This is getting out of hand...HELP!
And if I start the anti virus to scan, an internet page pops up and something scanning awearing me of the threat. ( probably it's the trojan geting files)



---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"ATI FGL Rseries Util Service"
Publisher:
"(Not verified) ATI Technologies Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
FGLRYUtil
Program path & name:
"c:\program files\ati technologies\fire gl control panel\atiisrgl.exe"
Enabled: [V]


Program:
"License Control Service"
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
LicCtrlService
Program path & name:
c:\windows\runservice.exe"
Enabled: [V]


Program:
"NOD32 Kernel Service"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NOD32krn
Program path & name:
"c:\program files\eset\nod32krn.exe"
Enabled: [V]


Program:
"Amon monitor"
Publisher:
"(Verified) ESET spol. s r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AMON
Program path & name:
"c:\windows\system32\drivers\amon.sys"
Enabled: [V]


Program:
N/A
Publisher:
"(Verified) ESET spol. s r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
nod32drv
Program path & name:
"c:\windows\system32\drivers\nod32drv.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"SCSI Pass Through Direct Host"
Publisher:
"(Verified) Duplex Secure Ltd"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sptd
Program path & name:
"c:\windows\system32\drivers\sptd.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
byXqNFxV
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\vtUnnlMc
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [TCP/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [UDP/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [RAW/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [RSVP UDP Service Provider]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [RSVP TCP Service Provider]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 Control Center GUI"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
nod32kui
Program path & name:
"c:\program files\eset\nod32kui.exe"
Enabled: [V]


Program:
"ATI FGL Rseries OpenGL graphics driver install"
Publisher:
"(Not verified) ATI Technologies Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
FRYMXINS
Program path & name:
"c:\program files\ati technologies\fire gl 3d studio max\atiimxgl.exe"
Enabled: [V]


Program:
"ATI FGL Rseries Monitor Select"
Publisher:
"(Not verified) ATI Technologies Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
FRYHIGHRES
Program path & name:
"c:\program files\ati technologies\fire gl control panel\atipmogl.dll"
Enabled: [V]


Program:
"NeroCheck"
Publisher:
"(Not verified) Ahead Software Gmbh"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
NeroFilterCheck
Program path & name:
"c:\windows\system32\nerocheck.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
WinampAgent
Program path & name:
c:\program files\winamp\winampa.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
AlcFDMonitor
Program path & name:
File not found: C:\WINDOWS\ALCFDRTM.EXE"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SunJavaUpdateSched
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\jusched.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
d0f5be75
Program path & name:
c:\windows\system32\vdatwovr.dll"
Enabled: [V]


Program:
"Microsoft SharePoint Portal Server Object Model"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
cdo
Program path & name:
"c:\program files\common files\microsoft shared\web folders\pkmcdo.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: about:Home"
Enabled: [V]


Program:
"Adobe Acrobat SpeedLauncher"
Publisher:
"(Not verified) Adobe Systems Incorporated"
Entry path:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Entry name:
Adobe Reader Speed Launch.lnk
Program path & name:
"c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe"
Enabled: [V]


Program:
"SDII MFC Application"
Publisher:
N/A
Entry path:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Entry name:
Microtek Scanner Finder.lnk
Program path & name:
c:\program files\microtek\scanwizard 5\scannerfinder.exe"
Enabled: [V]


Program:
"Adobe Gamma Loader"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
C:\Documents and Settings\sand\Start Menu\Programs\Startup
Entry name:
Adobe Gamma.lnk
Program path & name:
"c:\program files\common files\adobe\calibration\adobe gamma loader.exe"
Enabled: [V]


Program:
"Yahoo! Messenger"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
Yahoo! Pager
Program path & name:
"c:\program files\yahoo!\messenger\yahoomessenger.exe"
Enabled: [V]


Program:
"Adobe Update Manager"
Publisher:
"(Not verified) Adobe Systems Incorporated"
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
updateMgr
Program path & name:
"c:\program files\adobe\acrobat 7.0\reader\adobeupdatemanager.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
sand
Program path & name:
File not found: C:\Documents and Settings\sand\sand.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
28345364805242024221523945929858
Program path & name:
c:\program files\antivirus 2009\av2009.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
AppleSoftwareUpdate.job
Program path & name:
File not found: C:\Program Files\Apple Software Update\SoftwareUpdate.exe"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
&Yahoo! Toolbar Helper
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Adobe Acrobat IE Helper Version 7.0 for ActiveX"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
AcroIEHlprObj Class
Program path & name:
"c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll"
Enabled: [V]


Program:
"Yahoo! IE Services"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Yahoo! IE Services Button
Program path & name:
"c:\program files\yahoo!\common\yiesrvc.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{62F0C38D-82F2-452C-B1C5-AB0179C39C2F}
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{74F120B5-3A3B-4797-8B46-681ABC5CF2AA}
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
SSVHelper Class
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\ssv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
Entry name:
byxqnfxv.dll
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NOD32 Context Menu Shell Extension
Program path & name:
c:\program files\eset\nodshex.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"LCMMFU"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
eLicense Control
Program path & name:
c:\windows\lcmmfu.cpl"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Windows Messenger"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Extensions
Entry name:
Windows Messenger
Program path & name:
"c:\program files\messenger\msmsgs.exe"
Enabled: [V]

EscondeR
21-10-08, 17:09
1. Download Autoruns (http://technet.microsoft.com/ru-ru/sysinternals/bb963902(en-us).aspx).
2. Reboot your PC in Safe Mode (press F8 at boot and choose from menu).
3. Run Autoruns, let it finish the scan and then delete the following entries (right click, select Delete):


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
byXqNFxV
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V] - VIRUS!


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\vtUnnlMc
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V] - VIRUS!


Program:
"NeroCheck"
Publisher:
"(Not verified) Ahead Software Gmbh"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
NeroFilterCheck
Program path & name:
"c:\windows\system32\nerocheck.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
WinampAgent
Program path & name:
c:\program files\winamp\winampa.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
AlcFDMonitor
Program path & name:
File not found: C:\WINDOWS\ALCFDRTM.EXE"
Enabled: [V] - dead link


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SunJavaUpdateSched
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\jusched.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
d0f5be75
Program path & name:
c:\windows\system32\vdatwovr.dll"
Enabled: [V] - VIRUS!


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
sand
Program path & name:
File not found: C:\Documents and Settings\sand\sand.exe"
Enabled: [V] - dead link


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
28345364805242024221523945929858
Program path & name:
c:\program files\antivirus 2009\av2009.exe"
Enabled: [V] - VIRUS!


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
AppleSoftwareUpdate.job
Program path & name:
File not found: C:\Program Files\Apple Software Update\SoftwareUpdate.exe"
Enabled: [V] - dead link


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
&Yahoo! Toolbar Helper
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V] - CRAPWARE!


Program:
"Yahoo! IE Services"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Yahoo! IE Services Button
Program path & name:
"c:\program files\yahoo!\common\yiesrvc.dll"
Enabled: [V] - CRAPWARE!


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{62F0C38D-82F2-452C-B1C5-AB0179C39C2F}
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V] - VIRUS!


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{74F120B5-3A3B-4797-8B46-681ABC5CF2AA}
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V] - VIRUS!


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
Entry name:
byxqnfxv.dll
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V] - VIRUS!


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V] - CRAPWARE!


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V] - CRAPWARE!

sandygrimm
21-10-08, 18:06
I did it..I am rescanning the computer now after I deleted the antivirus2009 ( the virus)

kooky
21-10-08, 18:58
I experienced the same thing before, but I deleted in an alternative way, I ran the task manager & I saw the name of the malicious software was running on my PC, I clicked "End Process" went to the folder it was located in & deleted in the recycle bin & I never saw it again, I did the method several times it never fails to delete them. :)

sandygrimm
21-10-08, 19:02
I deleted it, and didn't finde it in the scan, neither in that autoruns program ( I couldn't find those programs to delete) I must of ended them in another way

EscondeR
21-10-08, 19:37
I experienced the same thing before, but I deleted in an alternative way, I ran the task manager & I saw the name of the malicious software was running on my PC, I clicked "End Process" went to the folder it was located in & deleted in the recycle bin & I never saw it again, I did the method several times it never fails to delete them. :)

This works very rarely, as if the process is listed - it's running currently... Viruses ususally restore their files while running. Booting in Safe Mode prevents most of those trojans from running - therefore can safely delete, but must use Autoruns to find them easily.

spikejones
21-10-08, 22:04
afaik autoruns will only delete the entry but not the actual program ;)

sweetwasabi
21-10-08, 23:38
Ouchh. My father had that dumb Antivirus 2009 too. Had to wipe his PC. I did what the other did, and removed it, but he left the Avast demo run out. And he got it back.

spikejones
22-10-08, 02:26
Ouchh. My father had that dumb Antivirus 2009 too. Had to wipe his PC. I did what the other did, and removed it, but he left the Avast demo run out. And he got it back.

AFAIK only version of Avast! is a free full version, not a demo. I do know however that if you fail to register the application, it will time out on you.

EscondeR
22-10-08, 05:15
afaik autoruns will only delete the entry but not the actual program ;)

Yup, but using Autoruns while in Safe Mode you'll:


delete the entries for sure
being smart, trace the files themselves and kill also

:)

sandygrimm
22-10-08, 13:12
is this it? or it it something else?
http://i34.************/s25cfs.jpg

Titanium
22-10-08, 13:24
AFAIK only version of Avast! is a free full version, not a demo. I do know however that if you fail to register the application, it will time out on you.

Theres a free edition which needs registering and a pro version with a free trial. So either they downloaded the pro or didnt register the free.

spikejones
22-10-08, 15:04
is this it? or it it something else?
http://i34.************/s25cfs.jpg

is that what???
that is a setup file for something or other, but it is not one of the files that was set to run automatically from the autoruns list.

sandygrimm
22-10-08, 15:30
well, I am not sure what it is, but I dunno how it got there, I am afraid to test it , because it might be the trojan setup. When I found the virus , I also downloads something, than it dissipated after I ran it. Hope it's not it..
but can I delete it?

EscondeR
22-10-08, 16:45
^ How large is the file? You can e-mail a copy to me to esconder[at]mail.ru and I'll check and tell you what it is exactly. Seems like a driver package so far.

A sidenote: never download anything to Program Files folder.

sandygrimm
22-10-08, 16:49
I never did that . I don't know where it came from :\
oh and BTW, while on the internet, pages pop up ( the same pages that "wanted to help" to get rid of the virus ( but I blocked pop ups )

it has 0 Byts

EscondeR
22-10-08, 17:05
oh and BTW, while on the internet, pages pop up ( the same pages that "wanted to help" to get rid of the virus ( but I blocked pop ups )



it has 0 Byts

1. What browser do you use? I recommend Opera 9.61 (http://www,opera.com/download)
Disable Messenger service also: Go to Control panel > Administrative tools > Services, right click Messenger service, select Properties, set Startup type to Disabled and press Stop button. Then press OK button.


2. If it has 0 length, then delete it simply.

3. Run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) once more and post the new report in case something survived :)

sandygrimm
22-10-08, 17:13
Messenger was disabled



---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"NOD32 Kernel Service"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NOD32krn
Program path & name:
"c:\program files\eset\nod32krn.exe"
Enabled: [V]


Program:
"Amon monitor"
Publisher:
"(Verified) ESET spol. s r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AMON
Program path & name:
"c:\windows\system32\drivers\amon.sys"
Enabled: [V]


Program:
N/A
Publisher:
"(Verified) ESET spol. s r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
nod32drv
Program path & name:
"c:\windows\system32\drivers\nod32drv.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"SCSI Pass Through Direct Host"
Publisher:
"(Verified) Duplex Secure Ltd"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sptd
Program path & name:
"c:\windows\system32\drivers\sptd.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
byXqNFxV
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\vtUnnlMc
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [TCP/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [UDP/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [RAW/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [RSVP UDP Service Provider]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [RSVP TCP Service Provider]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 Control Center GUI"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
nod32kui
Program path & name:
"c:\program files\eset\nod32kui.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
d0f5be75
Program path & name:
c:\windows\system32\fnwbbmlo.dll"
Enabled: [V]


Program:
"Microsoft SharePoint Portal Server Object Model"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
cdo
Program path & name:
"c:\program files\common files\microsoft shared\web folders\pkmcdo.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: About:Home"
Enabled: [V]


Program:
"Yahoo! Messenger"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
Yahoo! Pager
Program path & name:
"c:\program files\yahoo!\messenger\yahoomessenger.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
AppleSoftwareUpdate.job
Program path & name:
File not found: C:\Program Files\Apple Software Update\SoftwareUpdate.exe"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
&Yahoo! Toolbar Helper
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Adobe Acrobat IE Helper Version 7.0 for ActiveX"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
AcroIEHlprObj Class
Program path & name:
"c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll"
Enabled: [V]


Program:
"Yahoo! IE Services"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Yahoo! IE Services Button
Program path & name:
"c:\program files\yahoo!\common\yiesrvc.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{62F0C38D-82F2-452C-B1C5-AB0179C39C2F}
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
SSVHelper Class
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\ssv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{EDE7081E-F559-489D-A603-22D5D99EB096}
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
Entry name:
byxqnfxv.dll
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NOD32 Context Menu Shell Extension
Program path & name:
c:\program files\eset\nodshex.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"LCMMFU"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
eLicense Control
Program path & name:
c:\windows\lcmmfu.cpl"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Windows Messenger"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Extensions
Entry name:
Windows Messenger
Program path & name:
"c:\program files\messenger\msmsgs.exe"
Enabled: [V]

EscondeR
22-10-08, 17:21
ALERT!!!

Those have survived:

Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
byXqNFxV
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\vtUnnlMc
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
d0f5be75
Program path & name:
c:\windows\system32\fnwbbmlo.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{62F0C38D-82F2-452C-B1C5-AB0179C39C2F}
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{EDE7081E-F559-489D-A603-22D5D99EB096}
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
Entry name:
byxqnfxv.dll
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Boot in Safe Mode and repeat killing process within Autoruns!

If something is still twitching after, you'll need to boot from clean media, e.g. Windows Vista Live CD or Linux CD and kill those files manually (print this list I provided to have it at hand).

sandygrimm
22-10-08, 18:12
I deleted all but I couldn't find this one
I'm not sure if I deleted it and forgot..



Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{EDE7081E-F559-489D-A603-22D5D99EB096}
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]



---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"NOD32 Kernel Service"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NOD32krn
Program path & name:
"c:\program files\eset\nod32krn.exe"
Enabled: [V]


Program:
"Amon monitor"
Publisher:
"(Verified) ESET spol. s r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
AMON
Program path & name:
"c:\windows\system32\drivers\amon.sys"
Enabled: [V]


Program:
N/A
Publisher:
"(Verified) ESET spol. s r.o."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
nod32drv
Program path & name:
"c:\windows\system32\drivers\nod32drv.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
"SCSI Pass Through Direct Host"
Publisher:
"(Verified) Duplex Secure Ltd"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
sptd
Program path & name:
"c:\windows\system32\drivers\sptd.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
byXqNFxV
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\vtUnnlMc
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [TCP/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [UDP/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [MSAFD Tcpip [RAW/IP]]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [RSVP UDP Service Provider]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32 protected [RSVP TCP Service Provider]
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 IMON - Internet scanning support"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\System\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9
Entry name:
NOD32
Program path & name:
"c:\windows\system32\imon.dll"
Enabled: [V]


Program:
"NOD32 Control Center GUI"
Publisher:
"(Not verified) Eset "
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
nod32kui
Program path & name:
"c:\program files\eset\nod32kui.exe"
Enabled: [V]


Program:
"Microsoft SharePoint Portal Server Object Model"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
cdo
Program path & name:
"c:\program files\common files\microsoft shared\web folders\pkmcdo.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: About:Home"
Enabled: [V]


Program:
"Yahoo! Messenger"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
Yahoo! Pager
Program path & name:
"c:\program files\yahoo!\messenger\yahoomessenger.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
Task Scheduler
Entry name:
AppleSoftwareUpdate.job
Program path & name:
File not found: C:\Program Files\Apple Software Update\SoftwareUpdate.exe"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
&Yahoo! Toolbar Helper
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Adobe Acrobat IE Helper Version 7.0 for ActiveX"
Publisher:
"(Verified) Adobe Systems Incorporated"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
AcroIEHlprObj Class
Program path & name:
"c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll"
Enabled: [V]


Program:
"Yahoo! IE Services"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
Yahoo! IE Services Button
Program path & name:
"c:\program files\yahoo!\common\yiesrvc.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{62F0C38D-82F2-452C-B1C5-AB0179C39C2F}
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{72DB2EC1-5173-4A15-A6CB-51D516D90A6B}
Program path & name:
c:\windows\system32\vtunnlmc.dll"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
SSVHelper Class
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\ssv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
Entry name:
byxqnfxv.dll
Program path & name:
c:\windows\system32\byxqnfxv.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
NOD32 Context Menu Shell Extension
Program path & name:
c:\program files\eset\nodshex.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"LCMMFU"
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
eLicense Control
Program path & name:
c:\windows\lcmmfu.cpl"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Yahoo! Toolbar"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
yt.dll
Program path & name:
"c:\program files\yahoo!\companion\installs\cpn\yt.dll"
Enabled: [V]


Program:
"Windows Messenger"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Extensions
Entry name:
Windows Messenger
Program path & name:
"c:\program files\messenger\msmsgs.exe"
Enabled: [V]

EscondeR
22-10-08, 18:56
They are still there, seems you need to boot from clean media to get rid of them completely.

sandygrimm
22-10-08, 19:04
DARN, but I don't have Vista..and I have no ideea if I still have the Windows XP CD.. I'll try...
HOW much time do I have to act? do they do any damage?

EscondeR
22-10-08, 19:11
No damage xcept making your PC slow IF you don't answer positive on their alerts and questions. Take your time and follow the instructions.

sandygrimm
22-10-08, 19:14
It's been slow since i made/got it..I doubt it can get slower.
But I'll see what I can do.
thanx so far:)

spikejones
22-10-08, 22:43
could it be possible that it has infected something like the yahoo toolbar (or one of the IM applications) and is reinstalling/starting the programs each time the browser is opened?

EscondeR
23-10-08, 05:19
^ That is why I suggest to kill all this "crapware" ;)