Please print out this instructions as you should have all open windows and programs closed when running the scan.
Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop
Step 2.
==========
- Double-click the blbeta.exe file on your Desktop
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure "Scan through Windows Explorer (Recommended)" is selected\checked
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan
- When the animated graphics, in the bottom right-hand corner, disappears, click "Next"
- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
- Paste the contents of that log back here.
What about the DLL scan?
And i found out my Labtop have the I865 folder (cant remmember the number but nevermind) so i just redirected the registry to it.
It happened again a little after the scan so it didnt help
What just happened?
Another scan to try:
Please download MWav eScan to a convenient location.
This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe
Put a check next to the below items before scanning:
Memory
Startup Folders
Drive - All Local Drives
Folder - then click "browse" to change the directory to C: (default is C:\Windows)
System Folders
Services
Include Sub-Directory
Scan All Files
Please make sure ALL of these are checked, then press the Scan button.
*NOTE* MWav may pause and appear to be finished, but it isn't done. Just let it run until it says it's complete.
On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". Once the scan is complete, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely big so there is no way to post the whole log. I just need the infected items list from that window.
Oh yeah i also managed to run HijackThis while the virus was active, dunno if it helps but here is:
Logfile of HijackThis v1.99.1
Scan saved at 13:34:14, on 09-01-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Okay i reinstalled windows (yet again) because of some problems with my registry (nothing to do with this virus)
But its not gone and i found out about something it does it makes my computer think i have both shifts pressed.
But there must be more as i cant right click or bring up any menues (file, edit you know and the all programs in the start bar) and when i press on the different programs i have open in the start bar it just presses it down and does nothing.
I scanned with AVG antivirus and avast none of them found anything
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\startbarhack.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
===
Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
Trogan that isnt the virus...XD sorry its a copy of EXPLORER.EXE that i made with a modified starbar so it shows loLz instead of Start.
And the WiFi thingie is my nintendo WiFi connector software
Alright i finally had it, i formatted all my harddisks.
Then i reinstalled windows, and i hope its gone.
Trogan thanks for all the help you've done for me, you really tried all you could and i appreciate everything your really an awsome person.
Thanks alot .
IM SMURFING TIRED OF THIS, I STILL HAVE THE SMURFING VIRUS.
Im gonna go down with my labtop to the shop and get them to fix it, i have insurance on it luckily.
Sorry if this is a silly response, but the symptoms you describe (the shift keys issue, clicking problems, ...) -- coult it be a defect keyboard? Thing is, I had a similar problem once, and back then the keys had gotten stuck by sticky spilled fluids... ;-)
Comments
Do this
Please print out this instructions as you should have all open windows and programs closed when running the scan.
Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop
Step 2.
==========
- Double-click the blbeta.exe file on your Desktop
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure "Scan through Windows Explorer (Recommended)" is selected\checked
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan
- When the animated graphics, in the bottom right-hand corner, disappears, click "Next"
- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
- Paste the contents of that log back here.
And i found out my Labtop have the I865 folder (cant remmember the number but nevermind) so i just redirected the registry to it.
Not sure what you mean by this?
Won't be long
01/08/06 20:26:53 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/08/06 20:26:53 [Note]: 7019 4
01/08/06 20:26:53 [Note]: 7005 0
01/08/06 21:01:53 [Note]: 7006 0
01/08/06 21:01:53 [Note]: 7011 392
01/08/06 21:01:54 [Note]: FSRAW library version 1.7.1014
01/08/06 21:03:00 [Note]: 7007 0
Another scan to try:
Please download MWav eScan to a convenient location.
This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe
Put a check next to the below items before scanning:
- Memory
- Startup Folders
- Drive - All Local Drives
- Folder - then click "browse" to change the directory to C: (default is C:\Windows)
- System Folders
- Services
- Include Sub-Directory
- Scan All Files
Please make sure ALL of these are checked, then press the Scan button.*NOTE* MWav may pause and appear to be finished, but it isn't done. Just let it run until it says it's complete.
On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". Once the scan is complete, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely big so there is no way to post the whole log. I just need the infected items list from that window.
And it about to look like theres no hope :'(
Object "whistlesoftware Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zipitpro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\iVideoToGo.exe" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mdf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".mds". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pmp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wba". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{45C5EE7A-9D8F-4938-836E-791919A43F68}" refers to invalid object "start ACDSee8.exe /StiDevice:%1 /StiEvent:%2". Action Taken: No Action Taken.
Entry "HKCR\.csk" refers to invalid object "cskfile". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\MSMQ.SpObjectToken.3" refers to invalid object "{42B94DF7-CA07-9050-46C5-56E9D7021EA8}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{14CEC08E-C16F-4667-8DC9-ABB5EB8EC817}\RP22\A0006296.exe infected by "Trojan-Clicker.Win32.VB.kq" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{14CEC08E-C16F-4667-8DC9-ABB5EB8EC817}\RP22\A0006296.exe infected by "Trojan-Clicker.Win32.VB.kq" Virus! Action Taken: No Action Taken.
Logfile of HijackThis v1.99.1
Scan saved at 13:34:14, on 09-01-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\startbarhack.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmer\Arcade\PCMService.exe
C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\acer\epm\epm-dm.exe
C:\Programmer\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Winamp\winampa.exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\Programmer\MessengerPlus! 3\MsgPlus.exe
C:\Programmer\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\BitLord\BitLord.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\Programmer\WiFiConnector\NintendoWFCReg.exe
C:\Programmer\ewido anti-malware\ewidoctrl.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\acer\eRecovery\Monitor.exe
C:\WINDOWS\System32\svchost.exe
D:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=startbarhack.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Programmer\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmer\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitComet] "D:\BitLord\BitLord.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmer\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Kør registreringsværktøjet til Nintendo Wi-Fi USB Connector.lnk = C:\Programmer\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmer\iPod\bin\iPodService.exe
But its not gone and i found out about something it does it makes my computer think i have both shifts pressed.
But there must be more as i cant right click or bring up any menues (file, edit you know and the all programs in the start bar) and when i press on the different programs i have open in the start bar it just presses it down and does nothing.
I scanned with AVG antivirus and avast none of them found anything
This log shows something that your previous log didn't. Hopefully, this will be what is causing problems and we can remove it easily
First can you do this:
Go here and in the box provided, paste the following one at a time. Then press SUBMIT
C:\WINDOWS\startbarhack.exe
C:\Programmer\WiFiConnector\NintendoWFCReg.exe
The files will be scanned by various Anti-Virus scanners. Please post the results here.
====
Then do the following:
You may want to print these instructions or save them as you'll have no internet connection once in Safe Mode
View hidden files and folders – explained here
Go into Safe Mode - explained here
ONCE IN SAFE MODE
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\startbarhack.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain
===
Check the following in HJT and click 'Fix Checked' - Close ALL open Browsers first
F2 - REG:system.ini: Shell=startbarhack.exe
===
Find and Delete the following:
C:\WINDOWS\startbarhack.exe << this file
===
Reboot into Normal Mode and post a new HJT log
And the WiFi thingie is my nintendo WiFi connector software
Other then that, the log is clean. I think we have tried almost everything.
Then i reinstalled windows, and i hope its gone.
Trogan thanks for all the help you've done for me, you really tried all you could and i appreciate everything your really an awsome person.
Thanks alot
Im gonna go down with my labtop to the shop and get them to fix it, i have insurance on it luckily.
Good Luck
So, if the problem remains, maybe something is not working correctly or it is a driver conflict.
Hope you get it sorted