I Googled some information before posting this and it appears to be a Trojan virus. I have already deleted it in the main C folder on my computer, but I've noticed it's also in the win32 folder. Can I just delete it like that? Or isn't that enough? Because other forums mention going into the registry or something...
Oh, the symptoms. I always got this message that appeared when I first opened my Internet Explorer (only one time each time after you've started your computer) which said "can't download file from www7.logih.......". And I also removed 777.htm in my main folder as it appeared to open this message.
Yeh, most trojans, you can only get rid of by reformatting. Do you have AV?
If you can, I suggest reformatting.
Ehm... reformatting, like, delete everthing from your C drive? Probably you mean something else; I'm no good at this sorta things 
Yup, that´s what formatting means, to delete all information, and formate the disk. Then you would probably want to backup your documents and stuff, first. And after formatting, you would have to reinstall Windows (I think).
Try Spyware Doctor 3.8 (message me for details as it doesn't provide trial, i'll provide you with full). Spyware Doctor has been rated the best for a while now and removes Spyware, Adware, Malware, Keyloggers, Trojans and blocks pop-ups and can filter unsafe sites. It also protects against malicious ActiveX plug-ins that your browser may have installed without consent. Spyware Doctor also removes the "Hi-jacked Homepage" as it is formerly known. Let's just say this program is the bee's knee's when it comes to internet security. I am happy to own such software. Most virus' don't require re-format to rid, that's not good if you have alot of data that you wish to keep 
.
| erlendhg wrote: |
| Yup, that´s what formatting means, to delete all information, and formate the disk. Then you would probably want to backup your documents and stuff, first. And after formatting, you would have to reinstall Windows (I think). |
Then what if the files that they have backed up are infected, then he has demolished the objective of re-formatting. I know of this due to experience. That's why i strongly suggest you try my theory first before completely re-formatting your hard disk. Oh and yes that does require a re-installation of windows. Thanks for your help, but I've found something else. Only... you will need to tell me if it's safe to apply!
I found it on: http://www.xpounded.netfirms.com/xFree6.html
The code goes as follows:
Dim instructions
Dim notice
instructions = "Free6_Cleaner is a VBS file that will create a *.REG file that will help you clean your system of Free6" & vbcrlf
instructions = instructions & "The *.Reg file is/has-been created on your dektop." & vbcrlf
instructions = instructions & "To clean Free6:" & vbcrlf
instructions = instructions & vbtab & "1. Double-Click the file 'CleanFree6.reg' located on your Desktop." & vbcrlf
instructions = instructions & vbtab & "2. Restart You System." & vbcrlf
instructions = instructions & vbtab & "3. Browse to %SystemRoot%\System32\vbsys2.dll" & vbcrlf
instructions = instructions & vbtab & vbtab & "(%SystemRoot% is a short way to say your system folder: usually c:\windows)" & vbcrlf
instructions = instructions & vbtab & "4. Rename or/and Move/Remove the file vbsys2.dll" & vbcrlf
instructions = instructions & vbtab & "5. The Free6 popups should be gone! Mention us." & vbcrlf
instructions = instructions & vbtab & "Xpounded."
notice = "It appears that your system is free of Free6."
Function RegRead(key)
Dim Sh, sRet
Set Sh = CreateObject("WScript.Shell")
sKey = key
On Error Resume Next
sRet = Sh.RegRead(sKey)
On Error Goto 0
Set Sh = Nothing
RegRead = sRet
End Function
Function RegFileToCleanFree6(strCLSSID)
Dim ret
ret="REGEDIT4" & vbcrlf
ret=ret & ";Xpounded File to Remove Probable Free6 Hijacker vbsys2" & vbcrlf
ret=ret & ";" & vbcrlf
ret=ret & ";HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "\InProcServer32" & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ C:\WINDOWS\System32\vbsys2" & vbcrlf
ret=ret & "[HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ System Check Application" & vbcrlf & vbcrlf
ret=ret & "[HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_CLASSES_ROOT\CLSID\" & strCLSSID & "]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "\InProcServer32" & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ C:\WINDOWS\System32\vbsys2" & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "\InProcServer32]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & vbcrlf
ret=ret & ";REG_EXPAND_SZ @ System Check Application" & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "]" & vbcrlf
ret=ret & "@=-" & vbcrlf
ret=ret & "[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" & strCLSSID & "]" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" & vbcrlf
ret=ret & ";REG_SZ SystemCheck2 " & strCLSSID & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]" & vbcrlf
ret=ret & chr(34) & "SystemCheck2" & chr(34) & "=-" & vbcrlf & vbcrlf
ret=ret & ";HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" & vbcrlf
ret=ret & ";REG_SZ SystemCheck2 " & strCLSSID & vbcrlf
ret=ret & "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]" & vbcrlf
ret=ret & chr(34) & "SystemCheck2" & chr(34) & "=-" & vbcrlf
RegFileToCleanFree6 = ret
End Function
Sub saveFile(path,sContent)
Dim result
Set result = fso.createTextFile(path,True)
result.Write sContent
result.Close
Set result = Nothing
End Sub
Dim fso, desktop, WshShell
set WshShell = WScript.CreateObject("WScript.Shell")
desktop = WshShell.SpecialFolders("Desktop")
set WshShell = Nothing
Set fso = createObject("Scripting.FileSystemObject")
free6CLSSID=RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2")
If free6CLSSID <> "" Then
regFile = RegFileToCleanFree6(free6CLSSID)
saveFile desktop & "\CleanFree6.reg", regFile
saveFile desktop & "\CleanFree6.txt", instructions
Else
saveFile desktop & "\CleanFree6.txt", notice
End If
msgbox "Read the 'CleanFree6.txt' instructions on your Desktop to Clean free6 from your system",vbokonly,"Completed"
I'm not trying to gain points in an unfair way, just need to know if I can use this, as Norton stopped the script, which is quite normal I suppose
This code needed to be saved as Free6_Cleaner.vbs ... if your problem still persists visit http://www.gladiator-antivirus.com ( a place where trained and certified professionals help you clean your pc, they have helped me alot) go to the forums go to the "Help Think You Are Infected?" Topic and read the pinned article "Guidelines for Posting in This Forum" grab a copy of hijackthis
(http://www.merijn.org/programs.php#hijackthis) <--- I got mine there
the Guidelines part will take you from there.. Yes that code is safe, I used to write Visual Basic so yeah. You could try that but i would say the easiest way is to use a professional anti-virus like gladiator anti-virus as mentioned above. Thanks a lot, people! No problem, Always willing to help. 
Just download avg anitivirus and let it do its work.....
Heh, that Visual Basic code looks like it works, but you gotta think that most people who use trojans, they change the reg modes and stuff so programs like that wont work, so all you gotta do is:
Go to start
Run
"regedit"
HKEY LOCAL MACHINE
Software
Windows
Run
and delete the reg of the file you dont want to run each time windows runs, and you can leave it like that, or delete the file too, anyway, it wouldnt run if you dont click it :p
