Help with Win32:Trojano-213

Viruses and worms
1

Hello all,

I have a fairly common problem. My computer is infected with Trojano-213. Despite attempts to get rid of it it appears daily. I have recently run the following programs (all are upto date with the latest patches/downloads:

a-squared
spybot search and destroy
adaware
Avast boot time scan (deleted infected files: 2_0_1browserhelper2.dll, unstsa2.exe, Installer2.exe)

Subsequent to this I have run Hijackthis. The log follows and is also attached. My OS is Win 2000 Prof with all SPs and updates.

Any help will be greatly appreciated as I have already spent hours trying to sort this out.

Thanks in advance.

Duckula

Logfile of HijackThis v1.97.7
Scan saved at 19:53:05, on 25/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\GEARSEC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\OpenOffice.org1.1\program\soffice.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.curtin.edu.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.naupoint.com/toolbar/ie.html
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - (no file)
O2 - BHO: (no name) - {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} - C:\WINNT\DOWNLO~1\iEBINST2.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60261C06-81B0-4DE0-9313-E5BA203A64E9} - C:\WINNT\DOWNLO~1\pdfmgr.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINNT\2_0_1browserhelper2.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\system32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [CreateCD50] “C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe” -r
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OpenOffice.org 1.1.lnk = C:\Program Files\OpenOffice.org1.1\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Free WebSite Tools.lnk = C:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\ThirtyDayTimer.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ 4 (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ Lite (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=dd8db6eae7b3654038237d0b84b1b7592a7c740cb737386283389eb86c385c56bc11960de953afc8b0f8ea2e3d3e128ba9221d51f15727809397a79e20e8b65ea7:ca217fc8f18ffa8896bcf1e0be69801e
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {44FD0AF8-9D30-4E96-8ECE-306446B5E0D3} (No description) - http://naupoint.com/toolbar/installer/iEBINST2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37838.3843287037
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

2

Hi, welcome to the forums.

It would be helpful to know the following:
- avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the virus name, what was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?
- What actions have you taken to try and resolve the problem?
Also see this thread for further information and advice User’s FAQ.

Your hijackthis is not the latest version.

A visit to Eddy’s HiJackThis Info and Analysis page, HiJackThis log file analyzer and follow the directions there and get back to us if you need more help…

There you can get the latest version of hijackthis plus his analysis tool which will help you with what to fix, etc.

This thread should also help General Advice & Tools for virus/trojan/malware removal

3

Thanks for the response.

Since my initial post I have got the lastest version of hijackthis and gone to hijackthis.de and used the analyser. All identified nasty stuff has been fixed using hijack this. Time will tell if the trojan will show up again tomorrow. It seems to reincarnate itself every 24 hours or so. Should it return, then I’ll try this forum again. Meanwhile I think I have learned some useful things from this forum regarding sorting out this kind of problem.

Duckula
aka Martin

4

This is what my HJT log analyzer is reporting:

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using a old version of Hijackthis, please update.
Software firewall detected.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://www.naupoint.com/toolbar/ie.html
o1 - hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
o2 - bho: (no name) - {00320615-b6c2-40a6-8f99-f1c52d674fad} - (no file)
o2 - bho: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
o2 - bho: (no name) - {44fd0af8-9d30-4e96-8ece-306446b5e0d3} - c:\winnt\downlo~1\iebinst2.dll (file missing)
o2 - bho: (no name) - {60261c06-81b0-4de0-9313-e5ba203a64e9} - c:\winnt\downlo~1\pdfmgr.dll
o2 - bho: (no name) - {83de62e0-5805-11d8-9b25-00e04c60faf2} - c:\winnt\2_0_1browserhelper2.dll (file missing)
o2 - bho: (no name) - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\winnt\system32\msbe.dll
o4 - hklm..\run: [downloadaccelerator] c:\progra~1\dap\dap.exe /startup
o4 - hklm..\run: [windows syncroad] c:\program files\windows syncroad\syncroad.exe
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
o16 - dpf: {15ad4789-cdb4-47e1-a9da-992ee8e6bad6} - http://public.windupdates.com/get_file.php?bt=ie&p=dd8db6eae7b3654038237d0b84b1b7592a7c740cb737386283389eb86c385c56bc11960de953afc8b0f8ea2e3d3e128ba9221d51f15727809397a79e20e8b65ea7:ca217fc8f18ffa8896bcf1e0be69801e
o16 - dpf: {166b1bca-3f9c-11cf-8075-444553540000} (shockwave activex control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
o16 - dpf: {2917297f-f02b-4b9d-81df-494b6333150b} (minesweeper flags class) - http://messenger.zone.msn.com/binary/minesweeper.cab31267.cab
o16 - dpf: {44fd0af8-9d30-4e96-8ece-306446b5e0d3} (no description) - http://naupoint.com/toolbar/installer/iebinst2.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab
o16 - dpf: {9f1c11aa-197b-4942-ba54-47a8489bb47f} (update class) - http://v4.windowsupdate.microsoft.com/cab/x86/unicode/iuctl.cab?37838.3843287037
o16 - dpf: {a8658086-e6ac-4957-bc8e-8d54a7e8a790} (gdichk object) - http://www.microsoft.com/security/controls/gdi/0/gdichk.cab
o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
o16 - dpf: {d719897a-b07a-4c0c-aea9-9b663a28dfcb} (itunesdetector class) - http://ax.phobos.apple.com.edgesuite.net/detection/itdetector.cab
o16 - dpf: {e855a2d4-987e-4f3b-a51c-64d10a7e2479} (epsimagecontrol class) - http://tools.ebayimg.com/eps/activex/epscontrol_v1-0-3-0.cab

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hklm..\run: [createcd50] “c:\program files\common files\adaptec shared\createcd\createcd50.exe” -r
o4 - hklm..\run: [hp software update] c:\program files\hewlett-packard\hp software update\hpwuschd.exe
o4 - hklm..\run: [icq lite] c:\program files\icqlite\icqlite.exe -minimize
o4 - hklm..\run: [tkbellexe] “c:\program files\common files\real\update_ob\realsched.exe” -osboot
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o4 - hkcu..\run: [winmx] c:\program files\winmx\winmx.exe -m
o4 - hkcu..\runonce: [icq lite] c:\program files\icqlite\icqlite.exe -trayboot
o4 - startup: openoffice.org 1.1.lnk = c:\program files\openoffice.org1.1\program\quickstart.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
o4 - global startup: free website tools.lnk = c:\program files\coffeecup software\coffeecup free zip wizard\thirtydaytimer.exe

Also analyze your log HERE and fix everything that is reported as bad/nasty, reboot and create new log. And please use the latest version of HijackThis.

5

Hi

I am still struggling with Win32:Trojan0-213[trj]. The file identifiesd by avast is C:/Temp/Installer2.exe. This file returns daily at about the same time in the evenign!

My most recent action was to start in safe mode and delete all temp files. I wasn’t sure if this included files in folders such as AU_Temp and others similarly named. I am guessing that any file in such a folder is not entirely necessary. I also switched on so I could see and delete invisible files. I have done my best to follow all of the general instructions I have found on this site.

Here is my latest Hijackthis file - which according to hijackthis.de is returning almost exclusively ‘safe’ items.

Any further suggestions would be welcomed. This thing seems difficult to beat.

Duckula

Logfile of HijackThis v1.98.2
Scan saved at 18:29:21, on 28/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\GEARSEC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\OpenOffice.org1.1\program\soffice.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.curtin.edu.au/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [CreateCD50] “C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe” -r
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Startup: OpenOffice.org 1.1.lnk = C:\Program Files\OpenOffice.org1.1\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Free WebSite Tools.lnk = C:\Program Files\CoffeeCup Software\CoffeeCup Free Zip Wizard\ThirtyDayTimer.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

6

Not much harmfull detected, except for DAP which is ADWARE!
I suggest you click on the link in my signature and follow all steps on that page.
Take your time to do so and let us know if the problem is solved after that.
Also check your browsing behaviour.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

o4 - hklm..\run: [downloadaccelerator] c:\progra~1\dap\dap.exe /startup
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
o16 - dpf: {2917297f-f02b-4b9d-81df-494b6333150b} (minesweeper flags class) - http://messenger.zone.msn.com/binary/minesweeper.cab31267.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab
o16 - dpf: {d719897a-b07a-4c0c-aea9-9b663a28dfcb} (itunesdetector class) - http://ax.phobos.apple.com.edgesuite.net/detection/itdetector.cab
o16 - dpf: {e855a2d4-987e-4f3b-a51c-64d10a7e2479} (epsimagecontrol class) - http://tools.ebayimg.com/eps/activex/epscontrol_v1-0-3-0.cab

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hklm..\run: [createcd50] “c:\program files\common files\adaptec shared\createcd\createcd50.exe” -r
o4 - hklm..\run: [hp software update] c:\program files\hewlett-packard\hp software update\hpwuschd.exe
o4 - hklm..\run: [icq lite] c:\program files\icqlite\icqlite.exe -minimize
o4 - hklm..\run: [tkbellexe] “c:\program files\common files\real\update_ob\realsched.exe” -osboot
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
o4 - startup: openoffice.org 1.1.lnk = c:\program files\openoffice.org1.1\program\quickstart.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
o4 - global startup: free website tools.lnk = c:\program files\coffeecup software\coffeecup free zip wizard\thirtydaytimer.exe

7

Hi Everyone

Just a note to say I have ridded my machine of the trojan. Thanks to Eddy and his suggestions. Here are the things I did that seemed to result in eventual success:

Run Avast at boot up.
Start in safe mode
Empty all Temp files (see link at bottom of Eddy’s posts)
run hijack this and delete all unknown or unsafe processes (analyse results at www.hijackthis.de)
Finally I downloaded a program called spysubtract - which has a 30 day trial - and ran it.

So far the trojan has not shown up again (it was doing so every 24 hours). I have also ran the following programs on my system:

Adaware
Spybot Search and Destroy
Housecall (online virus scanner)
a-squared (another spy/ad remover)
Note that all were up to date versions but did not seem to remove the offending trojan.

It feels great to have a clean machine - so all of you out there fighting to get rid of various annoyances - take heart that it can be done (I spent a good 4-5 hours before getting rid of this trojan). And again big kudos to Eddy.

duckula
aka Martin

8

Hi,

I’m not very good with computers, every 24 hours or so im getting
a virus coming through called Win32:Trojano-213 [Trj]
Its in a folder called TEMP, i have tried running a few programes to get shot of it
but it just dont go.
Is there any easy way off getting rid of this? I run Avast and Spybot and
it doesn’t get rid of it
Has anyone got any suggestions how i can get rid of this, please keep it simple
I am hopless with computers
Thanks
Lee

Also please can you tell me what this Virus can do… Like what damage it causes… Thanks :slight_smile:

9

Have you not tried to follow the information contained in this thread (my first post, etc.)?

Please Help us to Help you In order to help fully we need more information…
- What OS are you using? is it up to date?
- avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the virus name, what was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?
- What actions have you taken to try and resolve the problem?
Also see this thread for further information and advice User’s FAQ.

10

This is an ADWARE, which changes your IE Search-behaviour:
“Adware.BlazeFind installs itself as a Browser Helper Object and redirects search queries”

->INFO<-
→ follow the red links to Mcafee & Symantec for Info;
Trendmicro should also give removal instructions

& work through above advice

P.S.:
Try this first: Removal using the adware’s uninstaller
As this is written, the publisher of this adware, BlazeFind, has instructions on how to uninstall their product using the Windows Add/Remove programs utility. Although it has not been confirmed by Security Response that this will work in all cases, this should be tried first. (If this does not work, or if you simply want to be absolutely sure, you can go on to the Manual removal instructions that follow).

Currently, BlazeFind has uninstall instructions at:

http://blazefind.com/?section=help

(See steps 7 and 8).
:wink:

11

First of All Here is my SysInfo:

Windows 2000 Pro SP4 with IE 6.0.2800.1106
According to the Windows Update site I have all Critical Service Packs & Updates

I have Avast! v4.5 running all access scanners and automaticly updating daily
Database version is 0502-2 My last VRDB was 1-9-2005 - This has been installed for months
updating religeously and still I seem to get these virus slipping by…?

Also SpyBot S&D v1.3 Latest detection Update of 1-6-2005
I recently downloaded Hyjakthis v1.99.0 and created a logfile to post for you…

Hyjak Logfile_________

Logfile of HijackThis v1.99.0
Scan saved at 4:08:49 AM, on 1/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\CallWave\IAM.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Download\AntiVirus\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU..\Run: [spc_w] “C:\Program Files\NZSearch\nzspc.exe” -w
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe (file missing)
O9 - Extra ‘Tools’ menuitem: BingoNova Lobby - {4E975845-1BA1-495E-95A3-2698978E3D4B} - C:\Program Files\BingoNova Lobby\osix.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip..{0F01A357-4D23-4A59-915F-9BBF6045C368}: NameServer = 142.167.5.5,142.167.5.67
O17 - HKLM\System\CCS\Services\Tcpip..{8BBA1FE2-B683-4DC2-AB50-3621886571D9}: NameServer = 64.136.20.121 64.136.28.121
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

Hyjak Logfile End_________

Can’t seem to make heads or tails of removing this virus? The name of the file it was found in was: Key2.txt - Deleting this does not seem to work - it comes right back?? Below is my most recent warnings? Can anyone help??? My computer seems to be bogging down awfull… :frowning:

1/14/2005 3:00:22 AM Administrator 1220 Sign of “Win32:Trojano-213 [Trj]” has been found in “C:\WINNT\Key2.txt” file.
1/12/2005 5:09:22 PM Administrator 1776 Sign of “JS:Istbar [Trj]” has been found in “E:\Chad\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WHI7A5SL\prompt[1].htm” file.
1/12/2005 4:31:00 PM Administrator 1776 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINNT\systb.exe\systb.dll” file.

12

No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

search bar = http://my.netzero.net/s/search?r=minisearch
r1 - hklm\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
search bar = about:blank
r1 - hklm\software\microsoft\internet explorer\main
r0 - hklm\software\microsoft\internet explorer\search
r0 - hklm\software\microsoft\internet explorer\search
r1 - hkcu\software\microsoft\internet explorer\searchurl
(default) = http://my.netzero.net/s/search?r=minisearch
r3 - urlsearchhook: urlsearchhook class - {37d2cdbf-2af4-44aa-8113-bd0d2da3c2b8} - c:\program

files\nzsearch\searchenh1.dll
o2 - bho: band class - {01f44a8a-8c97-4325-a378-76e68dc4ab2e} - c:\winnt\systb.dll (file

missing)
o2 - bho: (no name) - {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - (no file)
o3 - toolbar: (no name) - {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} - (no file)
o9 - extra button: bingonova lobby - {4e975845-1ba1-495e-95a3-2698978e3d4b} - c:\program

files\bingonova lobby\osix.exe (file missing)
o9 - extra ‘tools’ menuitem: bingonova lobby - {4e975845-1ba1-495e-95a3-2698978e3d4b} -

c:\program files\bingonova lobby\osix.exe (file missing)
o9 - extra button: partypoker.com - {b7fe5d70-9aa2-40f1-9c6b-12a255f085e1} - c:\program

files\partypoker\ieextension.dll
o9 - extra ‘tools’ menuitem: partypoker.com - {b7fe5d70-9aa2-40f1-9c6b-12a255f085e1} -

c:\program files\partypoker\ieextension.dll
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

c:\winnt\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

c:\winnt\web\related.htm
o16 - dpf: {0335a685-ed24-4f7b-a08e-3bd15d84e668} -

http://dl.filekicker.com/send/file/128985-nzil/phpsetup.cab
o16 - dpf: {8ad9c840-044e-11d1-b3e9-00805f499d93} (java runtime environment 1.4.2) -

https://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
o16 - dpf: {9522b3fb-7a2b-4646-8af6-36e7f593073c} (cpbrkpie control) -

http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [sunjavaupdatesched] c:\program files\java\j2re1.4.2_06\bin\jusched.exe
o4 - startup: trillian.lnk = c:\program files\trillian\trillian.exe

Edit:
I just noticed this was your first post. You should have started a new thread!

13

Have you not tried working through the information and suggestions above.

The links in my previous post are in blue and are general for the removal of trojans/malware. Did you visit Eddy’s site? there is a wealth of information there.

For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php