Malware/Spyware Removal Guide

Dr_Ali_G

P.S. Just added Spybot to the routine. Why do all these programs fins different things?
Can I find one that does it all ? and works with ME?

spurs1812

Can anyone help? I have somehow managed to download something called SpyLocked? My current antivirus program has detected it but seems unable to remove it. I would appreciate some guidance please?

superscaper

spurs1812 wrote: »

Can anyone help? I have somehow managed to download something called SpyLocked? My current antivirus program has detected it but seems unable to remove it. I would appreciate some guidance please?

Have you actually gone through posts 1 to 4 of this very thread?

Browntoa

and if you still have problems afterwards then start a new thread to get specific advice for your problem

Browntoa

The following is compiled with the help of Pchelpman, Toxteth_OGrady , Intel and Fran and is designed to be a new "Sticky" as a comprehensive guide to the steps required to remove the above from your PC. it will be split into three posts for ease of reading and printing.

The first 4 posts in this thread are our best solution to removing the infection from your PC

The rest of the thread is personal opinions on the rights and wrongs on those instructions. Do not post requests for help in this thread but start a new thread for your particular problem.

Please follow these instructions fully before posting for help on the Forum as 99% of the time this will clean your PC of the infection.

Please back up any important documents,emails and photographs before you start.

#### IMPORTANT :- if followed correctly these instructions should help you remove the infection in your PC, if followed incorrectly you may cause damage to your system . If you do not feel confident in following these instructions we would advise you to seek the advice of a professional to fix your PC. ######

some links updated 11/09/06 (thanks to Pchelpman to pointing out the dead one)

for earlier versions of Windows 95/98/98se/Me Ewido and Microsoft Defender will not work but all other software will and the steps remain the same

#### 25/02/07 At this time I'm not sure of the compatability of this whole thread with Vista, might have to do a new/updated one at a later date but the main principle of booting into safe mode would apply.####

Download the following software, in each case as it downloads click on the “Run” button on the File download box that opens to install the software.

Before you start make sure you are at least up to date with Windows XP Service Pack 1a by going here

http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx

and choosing

http://www.microsoft.com/windowsxp/d...1/express.mspx


1) Please download and install Superantispyware from here ….

[FONT=&quot]http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

• Load SUPERAntiSpyware and click the Check for Updates button.
• Once the update has finished, exit SUPERAntiSpyware.
• Please do NOT run a scan yet!

[/FONT]
2)Ad-Aware from Lavasoft from here

http://www.lavasoftusa.com/products/ad_aware_free.php

Install, click Check for Updates now and get any updates, then exit

3)Crap Cleaner from

http://www.ccleaner.com/ccdownload.asp

Install only, then exit

4) Microsoft Windows Defender (this can only be used with Windows 2000/XP/2003) (was known as Microsoft AntiSpyware)

http://www.microsoft.com/athome/secu...e/default.mspx

Install it and update it

5)Spybot Search and Destroy

http://www.safer-networking.org/

Install, do the search for updates now and get any updates, Make sure you leave the SDhelper ( IE bad download blocker) checked to install (this is the default).

You will need to disable system restore, boot into safe mode, scan for the problem and finally re-enable system restore.

For Windows XP:

1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

For Windows Millenium:

1: Right-click My Computer, and then click Properties.
2: On the Performance tab, click File System, or press ALT+F.
3: On the Troubleshooting tab, click to select the Disable System Restore check box.
4: Click OK twice, and then click Yes when you are prompted to restart the computer.
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box



Malware Removal

Please back up any important documents,emails and photographs before you start.

Important:- Before starting make sure you print these instructions as you will not be able to connect to the internet.

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

• Open SUPERAntiSpyware and click the Scan your Computer button.
• Check Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click Next.
• Click Finish and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
• I'll need a log afterwards of what has been found.
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
• Please post the results of the SUPERAntiSpyware log in your next reply.

The best method to remove malware is to do it after booting in Safe Mode. Please note to complete ALL these scans may take some time so make sure you allow yourself plenty of time.

Boot to safe mode now.

For info on how to boot to safe mode click on the link below:

http://service1.symantec.com/SUPPORT...01052409420406

Shut down ALL unrequired applications including browsers

1) Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner


2) Run Spybot Search & Destroy and allow it to fix all that it finds

3) Run Ad-Aware SE and select Perform full system scan box and allow it to fix all that it finds

4) Run Windows Defender and allow it to fix all that it finds

You will now need to get back into normal Windows mode by reversing the steps you took to get into safe mode

When Windows has booted up connect to the Internet and see if the problem is still happening, if so you may need to boot back into safe mode again and do a 2nd run of steps 2) to 4).

Should the problem persist despite all this then run all the free online scans at both these sites:

http://www.pandasoftware.com/activescan/

…and here…..

http://housecall.trendmicro.com.

When running the Panda Activescan make sure you click the Free Online Virus Scan in the upper right hand corner of the page under the Free use Activescan header. You do NOT want the default spyXposer scan.

You should run ALL the free scans offered by Housecall.

Make sure they both perform full system scans.

If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details in a new thread in the techie forum stating the name of the Malware and which version of Windows you are using.

If all is clear then please read the following and make sure that you have installed a Firewall and some AntiVirus software be reading the following thread

http://forums.moneysavingexpert.com/showthread.html?t=3356

and also it is important that you update your Version of Windows to the latest build as this will help stop a recurrence of the problem. You may need to go back and check for updates a 2nd time to make sure that you are fully up to date.

http://update.microsoft.com/microsof....aspx?ln=en-us

Please note that this will only work with a VALID Version of Windows XP

If problems still exist then download HijackThis

www.bleepingcomputer.com/files/Merijn/HijackThis.zip

there is a new "beta" version that has been updated for Xp/2000 (also Internet Explorer 7)

http://www.trendsecure.com/portal/en...hijackthis.php

Note: You should only use HijackThis if you have advanced computer knowledge or if you are under the direction of someone who does. Improper usage of this program can cause problems with how your computer operates.

To use HijackThis, download the file and extract it to a directory on your hard drive called c:\HijackThis. Then navigate to that directory and double-click on the hijackthis.exe file. When the program is started click on the Scan button and then the Save Log button to create a log of your information.

You can then either paste the contents of the saved file to here for online analysis

www.hijackthis.de/en

or post your log file in the Techie Forum for advice , please include the log from your SuperAntiSpyware scan as well



##### Please note, all the posts after this do not make up part of the Spyware/Malware removal guide

danlaaa

Browntoa wrote: »

Malware Removal

Please back up any important documents,emails and photographs before you start.

Important:- Before starting make sure you print these instructions as you will not be able to connect to the internet.

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

• Open SUPERAntiSpyware and click the Scan your Computer button.
• Check Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click Next.
• Click Finish and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
• I'll need a log afterwards of what has been found.
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
• Please post the results of the SUPERAntiSpyware log in your next reply.

The best method to remove malware is to do it after booting in Safe Mode. Please note to complete ALL these scans may take some time so make sure you allow yourself plenty of time.

Boot to safe mode now.

For info on how to boot to safe mode click on the link below:

http://service1.symantec.com/SUPPORT...01052409420406

Shut down ALL unrequired applications including browsers

1) Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner


2) Run Spybot Search & Destroy and allow it to fix all that it finds

3) Run Ad-Aware SE and select Perform full system scan box and allow it to fix all that it finds

4) Run Windows Defender and allow it to fix all that it finds

You will now need to get back into normal Windows mode by reversing the steps you took to get into safe mode

When Windows has booted up connect to the Internet and see if the problem is still happening, if so you may need to boot back into safe mode again and do a 2nd run of steps 2) to 4).

Should the problem persist despite all this then run all the free online scans at both these sites:

http://www.pandasoftware.com/activescan/

…and here…..

http://housecall.trendmicro.com.

When running the Panda Activescan make sure you click the Free Online Virus Scan in the upper right hand corner of the page under the Free use Activescan header. You do NOT want the default spyXposer scan.

You should run ALL the free scans offered by Housecall.

Make sure they both perform full system scans.

If either/both scans find something they cannot fix - perhaps because the infected files are "in use" - please make a note of the file(s) concerned and post the details in a new thread in the techie forum stating the name of the Malware and which version of Windows you are using.

If all is clear then please read the following and make sure that you have installed a Firewall and some AntiVirus software be reading the following thread

http://forums.moneysavingexpert.com/showthread.html?t=3356

and also it is important that you update your Version of Windows to the latest build as this will help stop a recurrence of the problem. You may need to go back and check for updates a 2nd time to make sure that you are fully up to date.

http://update.microsoft.com/microsof....aspx?ln=en-us

Please note that this will only work with a VALID Version of Windows XP

i have done a SUPERANTISPYWARE scan but it only came up with 3 items needing attention. none of which are what i am trying to get rid of... i am trying to get rid of MBS account manager (sexxxpass)!! but this did not come up on the scan. here is the log for the scan... >

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/17/2007 at 09:26 PM

Application Version : 3.9.1008

Core Rules Database Version : 3270
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:51:54

Memory items scanned : 516
Memory threats detected : 0
Registry items scanned : 7533
Registry threats detected : 3
File items scanned : 39954
File threats detected : 0

Adware.180solutions/ZangoSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#.Owner
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SAIX.dll#{DECEAAA2-370A-49BB-9362-68C3A58DDC62}

I am about to do the rest of the scans in safe mode, then if that doesnt work i will do the hijackthis method and post the log here too. i have done the hijack this before to try and rid of this "SCAM!!" and i seen something on there of interest i think it had a file on it called:
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\smvalid.exe. i checked this item and fixed it, but when i did another hijackthis scan it was still there, i cant get rid of it...

here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:08, on 17/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
c:\windows\system32\rmvalid.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
c:\windows\system32\smvalid.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - Default URLSearchHook is missing
O2 - BHO: &Yahoo! Toolbar Helper - !!02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - !!1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - !!72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - !!9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Mega Manager IE Click Monitor - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Show Norton Toolbar - !!90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\smvalid.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - !!4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: BT Yahoo! Services - !!5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Cribbage - http://download2.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: !!0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: !!14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: !!17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: !!20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: !!2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: !!38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: !!4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: !!5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: !!67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145729869046
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4861/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: grooveLocalGWS - !!88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: talkto - !!828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O24 - Desktop Component 0: (no name) - file:///C:/Program%20Files/BT%20Broadband%20210/Docs/pics/BT%20BB%20Launcher.JPG

--
End of file - 10167 bytes

i dont know where them links have come from in the log, if its against the rules, then im sorry, but i just copied and pasted the log straight onto here...my sincere apologies for takin up so much space with this post, but i am so stressed at the moment, i have been tryin to get rid of it nearly all day now.

thanks BROWNTOA hope this helps you to help me :think:

danlaaa

i have looked for my system32 file in WINDOWS to see if i can delete that file ( O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\smvalid.exe. ) but i cant find the system32 file. i have shown all hidden files, but i still cannot find it?

danlaaa

think ive managed to get rid of it. my norton isnt picking up sexxxpass anymore and the MBS desktop icon and billing pop-up hasnt come up on my pc for a couple of days now :beer:

Browntoa

please start a new thread for hijackthis threads, not post them in here, fixes are specific for each person...

random456

Sorry to be a bit o/t but I noticed this thread has had thousands of views, it's where everyone gets directed when they have adware probs but only 24 people have bothered pressing the thanks button on browntoa's original post? I know a thanks button isn't a be-all and end-all but I think it's very rude for people to read and take info that people have spent time compiling for free and not even bother to spend less than half a second to click a button to say thanks to someone who has most probably saved their computer with this information! *off to click the thanks button now by default!*