Hi i helped remove some of the things in my friend's laptop but i just submit 2 logs just to double comfirm that everything is clean. Hope Joe you can help me out with this one

P.S when i start I.E it always have this website http://www.securitybulletin.net/ although i set the homepage to www.yahoo.com

Hya Mat.


Indeed severall problems on there , first run Smitrem:

Download Smitrem to your desktop:
http://noahdfear.geekstogo.com/click...click.php?id=1

Run the installer and then press Start to Extract the
files to the desktop, Do not run it yet.

Reboot into safe mode (Reboot and keep tapping F8 , then
choose safe mode from the list)

Run SmitRem:
Open the SmitRem folder and double click the "RunThis.bat" file to start the tool. Follow the prompts on screen , wait for the tool to complete , and disk cleanup to finish.

The tool will create a log named smitfiles.txt on the drive that you ran Smitrem on, eg; "C:\smitfiles.txt" , or the partition where your operating system is installed on.

Please attach this log to your next reply.

Note: XP users using the XP theme may ex-perience a change to the Classic Windows theme. This can be changed on the themes tab of desktop properties.


You will need to reload your wallpaper as the SmitRem
tool will reset it, you can do this by right clicking
desktop and choosing properties, First check Theme and
set it to Windows XP then click the Desktop tab and
choose the one you want to use and press apply.

Download and run cwshredder:

http://cwshredder.net/bin/CWShredder.exe

Please go to add/remove programs and uninstall NewdotNet. If you don't have that option or if you have difficulties then please follow the instructions on this site


And does youre friend know that this keylogger is running on his pc?

Free KGB Key Logger

Also does he know that LogMeIn Remote Control software is installed and running on his pc?

And last , it seems he has no firewall , you know where to find free ones im sure.


When done , please post the Smitrem log plus a new hjt log to get the rest.

Hi Joe, Thanks for ya excellent Help

The Free KGB Key Logger installed legitly as he wanted to track who is using his laptop.

The LogMeInRemote Control is also a legit software as sometimes he wanted to remote access his laptop from places outside.

Attached below is the 2 logs.

Matt

Looking good , most of it is gone.

First run this tool:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

As instructed here:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Then boot in safemode.

Click Start>Run and type in: services.msc
Click OK
In the Services window find: npkcsvc
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Open HJT and click config > misc tools > ?delete an NT service?
Copy and past: npkcsvc
Click OK.

And after that fix these with hjt if still present:

When done , post a new hjt log to check please.

Attached is the log

Looking even better. Everything is gone. BUT there is a new entry.. and i dont know what it is..


C:\mJeXPerience\Mp3Junction.exe

Do you or youre friend know whats its from?

If not , then upload the file to this site and report back the result:

http://www.virustotal.com/en/indexf.html

PS , dont forget a firewall.

Hi Joe, the mp3junction is a mirc script legitly, so no worries.

So is this the HJT completed or ? If i get the go ahead from you , i move this topic to the completed HJT side.