thank you. this is my first try at forum. i will attach the hijack log file and a file of the superantispyware scan. i use zone alarm and it indicates gbf.exe is trying to access the internet. this appears to be a password cracker but i can find no reference to it at avast or norton. well, here goes....

Attached Files

	hijackthis.log (8.4 KB, 5 views)
	SUPERAntiSpyware Scan Log - 03-26-2008 - 10-48-10.log (2.9 KB, 0 views)
	SUPERAntiSpyware Scan Log - 03-26-2008 - 14-08-17.log (4.5 KB, 0 views)

hello twizzle, and welcome to the forums....

You may want to print these out. please close all other applications, start hjt again, click 'perform system scan only', place a tick next to the following and click 'fix checked'

O4 - HKLM\..\Run: [Microsoft Internet Explorer Update] ieupdate.exe

Go here: http://www.bleepingcomputer.com/comb...o-use-combofix
Follow the instructions for ComboFix, then paste the results along with a new HJT log.

Thanks,

v

__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall

thank you Valis. Before I do this, can you tell me why I should take this action, that is, what am I trying to fix? thanks, and do you also know why I have gbf.exe on my computer (I read somewhere it was a password cracker) and yet none of the spyware programs have detected or killed it? I was also warned about "ymode" and I see it in the hijack log but again why doesnt the spyware program detect and delete it if it is "bad" too?

combofix will clean out a variety of infections; it will most likely not clean out gbf, which is indeed a password cracker; I have no idea as to why you would have that on your machine.

Once combofix is done, we will then go in and assess what is left and then dump that stuff as well.

hope that helps,

v

__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall

Hi Valis, ok i took the HJT action you recommended, and then I did the entire "combo fix" program too. I have attached the two combo fix logs that appeared. let's see... was i supposed to do something more?.... i will go back and read your notes. thanks again. i am concerned about the password cracker and the "ymode.exe" thing, whatever that is. thanks

Attached Files

	log.txt (11.5 KB, 2 views)
	CF-RC.txt (326 Bytes, 2 views)

well i thought i had run a log of the HJT results but i cant find it. i did find, however, a text file of
combofix-quarantined-files and i will attach now.

Attached Files

ComboFix-quarantined-files.txt (470 Bytes, 2 views)

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*



thanks,




v

__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall

Big V, thank you, ok i think i did it right. i may have duplicated the copy of the combo log. i did notice that during the combo fix there was a notice that the ymode.exe was being deleted. sounds like good news to me.

really appreciate all of your help, thanks again for doing a good turn!
Tom

Attached Files

	ComboFix.txt (12.5 KB, 1 views)
	033107hijackthis.log (8.4 KB, 1 views)
	033107combofixlog.txt (12.5 KB, 1 views)

looks better, but there are still a couple questionable entries. Let's try a different scan.

Using Internet Explorer, visit Free Virus Scan - Kaspersky Lab

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  [IMG]file:///C:/DOCUME%7E1/piercet/LOCALS%7E1/Temp/msoclip1/01/clip_image001.gif[/IMG]
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

thanks,

v

__________________

M.C.S.A.
M.C.P. - MS Server 2k3, Network Architecture

"Ask Bill why the string in function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that."
- Gary Kildall

Dear Valis, it looks like there are some virus. i have attached the text file of the kapersky scan.

gracias senor !

Attached Files

kaspersky virus report.txt (72.9 KB, 1 views)