Almost There I Think ? - Free Antivirus Forum

Almost There I Think ?

BullGuard Antivirus Forum > Virus Removal > Removal Help > Almost There I Think ?

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Dooz
New Member

Date Joined Apr 2006
Total Posts : 8

Posted 4-9-2006 11:48 (GMT +1)

Well for three days I have been scrubbing this computer. About three days ago out of the blue my computer got hit by something HARD. The pop ups were so bad I could not even get to the desk top at times. Avast was putting up alerts all the time.. Here is where im at.

Spy Bot : Search & Destroy : finnaly comming back clean

TrojanHunter : "

Ad-Aware SE : "

FxSpL2Me : "

Im still getting popups and my peer guadian globe is still showing stelth connections.

Logfile of HijackThis v1.99.1
Scan saved at 6:45:48 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AIM\aim.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Glass2k] C:\Documents and Settings\Dooz Owings\Desktop\Glass2k.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NSLU2 Flash Map Utility] C:\Program Files\NSLU2 Flash Map Utility\StorageLink.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [w56206f6.dll] RUNDLL32.EXE w56206f6.dll,I2 0002e92c056206f6
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Huss] "C:\PROGRA~1\SSTEM~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Yud] C:\Documents and Settings\Shawna Owings\My Documents\s?mbols\dllhost.exe
O4 - HKCU\..\Run: [oqmz] C:\PROGRA~1\COMMON~1\oqmz\oqmzm.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - D:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144147359750
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\j4j6le1s1h.dll (file missing)
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

PS... I do use VNC and PC Anywhere for remote office.

Am I missing something, I have looked over the fourm and have all the tools, I also have System Restore off..

Dooz
New Member

Date Joined Apr 2006
Total Posts : 8

Posted 4-12-2006 7:24 (GMT +1)

Im still getting MAD pop ups and some times the programs such as Spy Bot S&D and Ada-ware will come back clean, then the next time you run them hours later they will be full of Trogans again. Im convinced that something is still getting kicked off in the startup. I was looking over the forum and seen how a lot of spyware linked itself to explorer so I even loaded a different shell "Ashton" and did several sweeps interesting enough the programs did find a on more Ad-ware trogans but as soon as I boot back into the default explorer shell after about 15 min or so I get hit by the pop ups. I would be very greatful for any help.

rpggamergirl
Forum Moderator

Date Joined Dec 2005
Total Posts : 1534

Posted 4-12-2006 8:58 (GMT +1)

Fix these entries in Hijackthis:
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Huss] "C:\PROGRA~1\SSTEM~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Yud] C:\Documents and Settings\Shawna Owings\My Documents\s?mbols\dllhost.exe
O4 - HKCU\..\Run: [oqmz] C:\PROGRA~1\COMMON~1\oqmz\oqmzm.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

Then Download Pocket Killbox version 2.0.0.175
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\PROGRA~1\SSTEM~1\wuaclt.exe
C:\Documents and Settings\Shawna Owings\My Documents\s?mbols\dllhost.exe
C:\PROGRA~1\COMMON~1\oqmz

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.

Let us know if popups persists.

~Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Dooz
New Member

Date Joined Apr 2006
Total Posts : 8

Posted 4-13-2006 8:05 (GMT +1)

Im still having issues so im going to post a new hijack log when I get home. I've been thinking about the issue all day, is there a way to trap a rogue process with perfmon? Every 15 min or so, I see a command window pop up in my system tray, and then in a matter of a second its gone. The command window stays minimized and you only see it in the tray. I dont know if that has anything to do with the pop up that keeps hitting me every so often. im going to start unloading stuff from the box tomorrow to see if I can issolate this darn thing. However I thought there may be a way to see what is going on via perfmon?

rpggamergirl
Forum Moderator

Date Joined Dec 2005
Total Posts : 1534

Posted 4-13-2006 8:12 (GMT +1)

Yeah , post a new hijackthis log.

I haven't used Perfmon, have you tried SysInternal's Process Explorer?

Also maybe silent runners might show something:

Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Also try Blacklight:

Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

~Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Dooz
New Member

Date Joined Apr 2006
Total Posts : 8

Posted 4-13-2006 2:29 (GMT +1)

Logfile of HijackThis v1.99.1
Scan saved at 9:22:36 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Linksys WMB54G Utility] C:\Program Files\Linksys Wireless-G Music Bridge\WMB54G.exe -R
O4 - HKLM\..\Run: [w56206f6.dll] RUNDLL32.EXE w56206f6.dll,I2 0002e92c056206f6
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144147359750
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Well I spent the morrning cleaning up the system, and slimming down junk in hops of getting a better look at this animal. This is what I ended up with, "see above" . I know the problem is in there somewhere, but after being up all night I'll be darned if I can see it. The pop up is still hitting me. It looks to be some simple adware issue.

Dooz
New Member

Date Joined Apr 2006
Total Posts : 8

Posted 4-14-2006 12:00 (GMT +1)

Weel after a few hours of sleep, I think I found the issue....

~~~~~~~> O4 - HKLM\..\Run: [w56206f6.dll] RUNDLL32.EXE w56206f6.dll,I2 0002e92c056206f6

I killed that DLL in save mode, and then removed the line via hijackthis. It looks like that may have been the Root of my last pop up problem. No more pop ups. hop

I'll keep a close eye on the system, but its looken good so far... Thanks for the pointers rpggamergirl.

rpggamergirl
Forum Moderator

Date Joined Dec 2005
Total Posts : 1534

Posted 4-15-2006 8:42 (GMT +1)

I don't know how I missed that one, could be because sometimes I used a scanalyzer the color must've tricked me. :(

Sorry about that,

That was an extremely good job you did, Well done!

~Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Dooz
New Member

Date Joined Apr 2006
Total Posts : 8

Posted 4-15-2006 9:04 (GMT +1)

Thanks, I have been reading your posts to others. I think its great how you help out. Im amazed at how well you key in on the types of infections. As much as I hate getting ad ware, I always love the battle of getting rid of it. It was kind of interesting to read about all the new tools, I have not been in this situation for years so things have changed, thats probably why it took me three or so days lol. I work nights, and was kinda tinkering around with it when I would get off in the morrnings so I wasnt doing my best thinking ;) .. I love this forums group and look forward to reading your posts and tactics.

rpggamergirl
Forum Moderator

Date Joined Dec 2005
Total Posts : 1534

Posted 4-15-2006 10:16 (GMT +1)

I help at another forum besides here.

I used to explain why I suggest a certain tool, but the log owners don't really care about details of the infection they just want to get rid of the nasties, so now I don't bother to explain.

Hijackthis entries give us telltale signs of what infections the system is having, you can tell by the entries whether it needs vundoFix or Look2Me Destroyer etc.

1. For example if you see these entries below which are dropped by W32Chod worm:(comes in 2 F3s)
F3 - REG:win.ini: load=C:\WINDOWS\system32\shaxashvcd\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\shaxashvcd\csrss.exe
O4 - startup: csrss.lnk = ?

F3 - REG:win.ini: load=C:\WINDOWS\system32\qikhabfeu\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\qikhabfeu\csrss.exe
O4 - startup: csrss.lnk = ?

The folders have random names that housed the bad csrss.exe
Then you know that they need to run the MSNVirRem tool.

2. If you see this entry below:(dropped by Look2Me infection)
O20 - Winlogon Notify: DateTime - C:\WINDOWS\system32\t0r80a9ued.dll

Then you know they need to run Look2Me Destroyer. Look2me entry is in the 020 line of HJT, the display name changes but it is always in the winlogon notify key that points to a file with a random dll.

Sometimes a log has so many infections, but if look2me is present also, you need to remove look2me first because it attracts more malware into the system.

3. Here's another infection where symptoms are:
can't open task manager, regedit won't work, ctrl+alt+del not functioning;
Those are the symptoms of Alcan/Alcra/P2PNetwork worm.

Here are the signs in Hijackthis entries:
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto <-- this is not the MS Outlook
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames#.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban#.exe
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD#.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad#.exe

If you see these signs in Hijackthis, you then suggest BFU, these are just examples there are a lot more other signs of infections that Hijackthis log can tell us.

If you have any questions, or if you see any of my post and you want to ask a question, feel free to ask, :)

~Check out Tony Klein's article "How Did I Get Infected in the First Place?"
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Forum Information

Currently it is Saturday, November 21, 2009 2:28 AM (GMT +1)
There are a total of 73.021 posts in 17.116 threads.
In the last 3 days there were 15 new threads and 70 reply posts. View Active Threads