Jump to content

Change Mode

pskelley

Trusted Malware Techs
  • Posts

    1,759
  • Joined

  • Last visited

About pskelley

  • Birthday 04/19/1942

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Clearwater, Florida

Previous Fields

  • Teams:
    Nothing Selected

pskelley's Achievements

Newbie

Newbie (1/14)

  1. OK, you got HJT out of the .zip file but now logs and backups will be all over the desktop. If you must run it from there, point to a blank spot and RIGHT click then make a New Folder, call it HJT. Move the HJT.exe and the log that should be there into that folder. I caution you the backups that will be in that folder could be very important in the event of an error. Changes have occured in the second log, this is what I suggest now. You said this: and it is still in the log, since you indicate you tried to remove it, I will do it for you. 1) Look in Add Remove programs for Avast, uninstall it if there, then do this: C:\Program Files\Alwil Software\Avast4\ashServ.exe <<< open Task Manager, then the Processes Tab, End process on this item. 2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed. 3) CounterSpy may block the HJT fix, use these instructions to turn it off until you are done. I suggest you do this offline. To disable CounterSpy: Right Click on the CounterSpy Icon located in your system tray. With your mouse, hover over Active Protection Status (This should be enabled) A menu will slide out, then right click on Disable Active Protection Once your log is clean please re-enable CounterSpy. Microsoft AntiSpyware will need to be turned off also. 4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items: R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {A55BBA5A-5599-0248-EB5C-7D2283191891} - C:\WINDOWS\system32\gchkbawg.dll (file missing) StartPa-GD trojan O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file) (not sure what this is, if you did not pay for it, remove it) O4 - HKLM\..\Run: [spyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor O4 - HKCU\..\Run: [cwwERgN6V] savw32.exe <<< some sort of random named trojan. O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present (above restriction can be removed if you want) Close all programs but HJT and all browser windows, then click on "Fix Checked" 5) SHOW HIDDEN FILES: Follow the instructions in the link to enable hidden files for your operating system. You may wish to reverse this process if you have any concern about anyone getting into these hidden system files. http://www.xtra.co.nz/help/0,,4155-1916458,00.html RIGHT Click on Start then click on Explore. Locate and delete these items: savw32.exe >>> file << you will have to search for this one, once located go there and delete it. If it is in C:\Windows\Prefetch, we are going to empty that folder anyway. C:\Program Files\Alwil Software\ >>> folder C:\Program Files\LimeWire\ >>> folder C:\Program Files\SpyFighter\ >>> folder C:\Windows\Prefetch: Locate this folder and delete all of the contents (NOT THE FOLDER) This information will tell you more about Prefetch: http://www.windowsnetworking.com/articles_...refetch-XP.html 6) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp Run CCleaner, when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log in this same thread along with any feedback you have. Thanks...pskelley Trusted HJT Advisor PCPitStop forum When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions: http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
  2. Hello, I posted a reply to your topic on 11/4 and have received no response. Sometimes the notifications fail and I do not want to close your topic unless you no longer need it. Would you please take a moment to update your status concerning this topic. If I do not hear from you within 48 hours, I will close it. Thanks...pskelley
  3. Hello and welcome to the forum. There is no doubt you still have a lot of junk on this computer, but I am going to say a major reason for problems is going to be the fact that you are running two powerful antivirus programs at the same time. Conflictions between them make it hard to troubleshoot anything. You are running Norton AntiVirus and Avast. You are also running HJT from a .zip file in a Temporary Directory. You should have received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif Before we can start to clean you up, you need to: 1) Choose one of the antivirus programs and uninstall the other. Once you have only one onboard, I suggest you update it any run it having it remove/delete anything it locates. 2) Move HJT from the .zip file. I suggest here: C:\HJT\HijackThis.exe. If you need more instruction that that, use this link: http://russelltexas.com/malware/createhjtfolder.htm Once you have completed those instructions, post a new HJT log in this same thread. I will be notified once you post and begin cleanup instructions as soon as possible after that. Thanks...pskelley Trusted HJT Advisor PCPitStop forum
  4. First, I have an issue with my scanner and the person I need to hear from is in the UK and it will be at least morning. Since I know what your problem is I can probably work without the scanner but it will be slower. I will say that the infection on your fathers computer looks like Look2me and I use a different tool to remove it. The tool at Ad-aware is being used with good success with the Aurora/Nail infection. If you want to try it out on the infection your fathers has, go right ahead. Here is the line that indicates the infection: O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\en6ol1j31.dll If it is what I think, I do not know if the Ad-aware tool will remove it. I do know that you will need to follow certain instructions and only the new variety of Look2me plugin will have a chance of working. I will post the same instructions for the Nail infection, you can give it a try and see what happens: Please understand that we have been instructed by the creator of the Nail fix (which your father does not appear to have) To remove Look2me with the Look2Me fix prior to trying to remove the Nail infection. It seems as I understand it, that Lavasoft has designed this fix to remove that infection. You need to know there are different places with download and the plug in must be the one in the link below. Make sure Ad-aware is the version in that provided link also. Rather it will work for the infection your father has, will remain to be seen, here are the instructions: BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference. First, download Ewido Security Suite. Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well. Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware. Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal. You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again. When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware. For a final cleanup, please install and run Ewido. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. From the main ewido screen, click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful") Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan. Thanks and good luck...pskelley
  5. BASPro, Your HijackThis log shows evidence of a 'Look2Me' infection. This will take several posts to fix. I must tell you this is a nasty infection that is hard to remove. The removal is complex and this is not something for a novice to be doing on the telephone. This infection usually has others with it though I can't scan the log because you cut off the first four lines and in order to proceed I need a complete HJT log. Given a complete log, I will provide the the fix but I strongly suggest you go to the computer and do not attempt to do this remotely. Thanks...pskelley Trusted HJT Advisor PCPitStop forum
×
×
  • Create New...