Hey, n00bie here...And a n00bie to the computer world.

I've had this computer for a long time and reformatted not too long ago. It's been close to 4 weeks since it's been reformatted and I don't do what I always did before. I don't download music, porn, movies, games, etc. etc. I only have what I should have.

Anyways, a message from my anti-virus program(Avast) keeps popping up every 15 minutes explaining I have a Trojan Horse. I've done what it recommended me to do(Move to Chest) and it keeps popping up.

Here's a screen shot of what it is saying.

Any help would help me out alot! I just want this computer to turn back to normal.

Thanks guys and gals!

have you tried switching off system restore then back on ?

Originally Posted by brain_damage

have you tried switching off system restore then back on ?

Sorry for not being the top guy for computers but I don't know what you mean by system restore.

Welcome to DAL,

Please post a hijackthis log so we can have a look at things please.

Download new version here:
http://majorgeeks.com/download3155.html

Click scan and save a log file on the hijackthis program to get a log

Please put your HJT in a folder such as C:\HJT or C:\Program Files\HJT.

Notepad will open up and results of scan will be there, copy and paste that into your next reply. Thanks.

Originally Posted by Neal

Welcome to DAL,

Please post a hijackthis log so we can have a look at things please.

Download new version here:
http://majorgeeks.com/download3155.html

Click scan and save a log file on the hijackthis program to get a log

Please put your HJT in a folder such as C:\HJT or C:\Program Files\HJT.

Notepad will open up and results of scan will be there, copy and paste that into your next reply. Thanks.

I did this yesterday and it seems to not want to open so I'll post what it said from yesterday:

Logfile of HijackThis v1.99.1
Scan saved at 3:40:42 AM, on 11/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Plaxo\2.5.6.21\PlaxoHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\neeufl\csrss.exe
C:\WINDOWS\System32\neeufl\smss.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\james\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamingunderground.us
F3 - REG:win.ini: load=C:\WINDOWS\System32\neeufl\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\neeufl\csrss.exe
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.6.21\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - Startup: csrss.lnk = ?
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2FB3A0D-D2BD-42A2-A997-16FA05B1FA8D}: NameServer = 142.177.1.2 142.177.129.11
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

HI,

Please do this below

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong.

Go into add/remove program and remove

spyware cleaner--this is a phony program and bad

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamingunderground.us---if you don't want this as your start page fix this
F3 - REG:win.ini: load=C:\WINDOWS\System32\neeufl\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\neeufl\csrss.exe

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: csrss.lnk = ?

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Again make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete these please:

C:\WINDOWS\System32\neeufl < folder
C:\Program Files\Spyware Cleaner < folder

Reboot normal mode and go for a couple online scans.


Make Internet Explorer your default browser so you can do these scans please.


Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm


Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html

These scans will take more than an hour to complete and both scanners will make a log please save those and post them back here for me to take a look at please.

Originally Posted by Neal

HI,

Please do this below

Create a new folder in your C: Drive
Name it C:\HJT or HijackThis and move the HijackThis.exe file in it.
It's best for this tool NOT TO be located in your Desktop or in a TEMP folder.
This way you can undo any changes if something goes wrong.

Go into add/remove program and remove

spyware cleaner--this is a phony program and bad

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamingunderground.us---if you don't want this as your start page fix this
F3 - REG:win.ini: load=C:\WINDOWS\System32\neeufl\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\neeufl\csrss.exe

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: csrss.lnk = ?

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Again make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete these please:

C:\WINDOWS\System32\neeufl < folder
C:\Program Files\Spyware Cleaner < folder

Reboot normal mode and go for a couple online scans.


Make Internet Explorer your default browser so you can do these scans please.


Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm


Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html

These scans will take more than an hour to complete and both scanners will make a log please save those and post them back here for me to take a look at please.

Alright, here's what's going on at the moment:

I created a new folder in the C: Drive. I labeled it as HijackThis. I can't open HijackThis to get a log because everytime I download HijackThis from the site you gave me and then open it to try and run it the taskbar goes blank at the bottom and the icons are gone for about a short 3 seconds.

I then went into Add/Remove programs and I can't find anything that says "spyware cleaner"

This is very confusing, I'm not a computer guy so I don't know much about computers.

Edit: Okay, new update this time.

Within the 3 seconds I have I copy/pasted my last log in a new text in the HijackThis folder in the C: Drive. I saved it just in time. I then went into Add/Remove programs but spyware cleaner isn't in THERE. I did a search on windows and it came up in a folder called "spyware cleaner". I went in there and it was there. I don't know how to delete it fully though if it isn't in Add/Remove programs. I'm this far into it.

Continue with the fix as I posted the folder for spyware cleaner is in the fix to delete the folder right click on it(cursor on it) then click delete it may ask you if you want to delete the entire contents of the folder and yes you do.

you are doing fine.

Originally Posted by Neal

Continue with the fix as I posted the folder for spyware cleaner is in the fix to delete the folder right click on it(cursor on it) then click delete it may ask you if you want to delete the entire contents of the folder and yes you do.

you are doing fine.

So delete "spyware cleaner" into the Recycle Bin and then click empty right? I didn't think that fully deleted it.