Jump to content

Trevuren

Trusted Malware Techs
  • Content Count

    246
  • Joined

  • Last visited

Everything posted by Trevuren

  1. Option 2 autofix Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon) Close all other open windows since this step requires a reboot Select option 2. Run auto fix by typing 2 and then pressing Enter If an infection is found, you'll get a message to close all other open windows.Close all open windows except the red dos window from haxfix and then press Enter The computer will reboot After reboot a logfile will open > (c:\haxfix.txt) Post the contents of that logfile along with a new HijackThis log. Regards, Trevuren
  2. Download haxfix.exe and save it to your desktop. Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix) Checkmark "Create a desktop icon" Click "Next" When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed Click "Finish" A red "dos window" (dos box) will open with options:1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option 1. Make logfile by typing 1 and then pressing Enter Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt) Regards, Trevuren
  3. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank O2 - BHO: (no name) - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - (no file) O20 - AppInit_DLLs: Runner.dll,bhfkpooc.dll,EQMini.dll O20 - Winlogon Notify: accies98 - accies98.dll (file missing) O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\SYSTEM32\mmx4xt.dll Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present): C:\Windows\system32\Runner.dll C:\WINDOWS\SYSTEM32\mmx4xt.dll C:\Windows\SYSTEM32\EQMini.dll C:\Windows\system32\bhfkpooc.dll Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. Regards, Trevuren
  4. I am sorry but I am not an expert on Vaio systems. For this problem, you should consult either the manufacturer's website or one of our other forums after all the malware has been removed from your system. Some of these problems could still be malware related. Please do a search for the following files using the Windows Search function and try to provide me with the exact path of the files in question: EQMini.dll bhfkpooc.dll Trevuren
  5. There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis. 1. Click HERE to get to Jotti's site. 2. At the top of the Jotti window, use the Browse button to locate the following file on your system: C:\WINDOWS\SYSTEM32\mmx4xt.dll 3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed. 4. Please provide me with the results of the analysis. 5. Now, please do the same with the following files: C:\WINDOWS\SYSTEM32\EQMini.dll C:\WINDOWS\SYSTEM32\bhfkpooc.dll C:\WINDOWS\SYSTEM32\Runner.dll Regards, Trevuren
  6. Hi Gordon24Johnson28 and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or (2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program. Restart your system 1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06. Download Ad-Aware SE Personal 1.06:Download Ad-Aware SE Personal 1.06. Save aawsepersonal.exe to a convenient location. Install Ad-Aware SE Personal 1.06:Double-click on aawsepersonal.exe to install the program. Follow the default settings for installation. After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes. Update Ad-Aware SE Personal 1.06:Double-click the Ad-Aware SE Personal icon on your desktop. Click "Check for updates now" then click "Connect". It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish". Configure Ad-Aware SE Personal 1.06:Click on the Gear button at the top of the window. Click "General" on the left hand side to display the General Settings box.Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Automatically save logfile" "Automatically quarantine objects prior to removal" "Safe Mode (always request confirmation)" "Prompt to update outdated definitions" - change to 7 days from the default 14. Click "Scanning" on the left hand side to display the Scan Settings box.Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Scan within archives" "Select drives & folders to scan" - select your hard drive(s). "Scan active processes" "Scan registry" "Deep-scan registry" "Scan my IE favorites for banned URLs" "Scan my Hosts file" Click "Advanced" on the left hand side to display the Advanced Settings box.Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Move deleted files to Recycle Bin" "Include additional object information" "Include negligible objects information" "Include environment information" Click "Defaults" on the left hand side to display the Default Settings box.Make sure these items have your preferred settings in them.: "Default homepage" "Default searchpage" Click "Tweak" on the left hand side to display the Tweak Settings box.Click the + (plus) sign next to the Log Files section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Include basic Ad-Aware settings in log file" "Include additional Ad-Aware settings in log file" "Include reference summary in log file" "Include alternate data stream details in log file" Click the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Unload recognized processes & modules during scan" "Scan registry for all users instead of current user only" "Obtain command line of scanned processes" Click the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Always try to unload modules before deletion" "During removal, unload Explorer and IE if necessary" "Let Windows remove files in use at next reboot" "Delete quarantined objects after restoring" Once you are done with these settings, click "Proceed" to save them. This will take you back to the main screen. Run Ad-Aware SE Personal 1.06:Click the "Start" button. Uncheck the "Search for negligible risk entries" entry. Choose the "Use custom scanning options" scan mode. Click the "Next" button. Ad-Aware will begin to scan for malware residing on your computer. Allow the scan to finish. Right-click on any entry in the list and click "Select All" to select the whole list. Click "Next" and choose "OK" at the prompt to quarantine and remove the objects. 2. Please follow the instructions provided, you may want to print out these instructions and use them as a reference. Please download ewido security suite it is a trial version of the program.Install ewido security suite When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido, there should be an icon on your desktop double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files.On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. Once the updates are installed do the following:REBOOT into Safe Mode Run EWIDO Click on scanner Click on Start Scan Let the program scan the machine While the scan is in progress you will be prompted to clean files, click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report Save the report to your desktop Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply Regards, Trevuren
  7. Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Re-hide your System Files and Folders to prevent any future accidents. Reconfigure Windows XP to hide hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. 2. Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  8. Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing) O20 - Winlogon Notify: winxwt32 - winxwt32.dll (file missing) Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of. Regards, Trevuren
  9. Your log is looking much better at this point. I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following: Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot. Now please create a new Hijackthis Log and post it as a reply Trevuren
  10. Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as FixSF.reg. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}"=- "{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}"=- [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D}] [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C9FA1DC9-1FB3-C2A8-2F1A-DC1A33E7AF9D}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpyFalcon"=- Trevuren
  11. Hi materium and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. Removal Instructions:Step 1: Print out these instructions as we will need to close every window that is open later in the fix. Download FixSF.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.Confirm that the file FixSF.reg now resides on your desktop as we will need it later. Download smitRem.exe ©noahdfear, and save the file to your desktop.Double click on the file to extract it to it's own folder on the desktop. If you look on your desktop you will now see a folder called smitRem. Go to your desktop and double click on the FixSF.reg file that you downloaded earlier. When it asks if you would like to merge the information, press the Yes button and then the OK button. Step 2: Next, please reboot your computer into SafeMode by doing the following:Restart your computer. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as an Administrator. When your computer has started in SafeMode and you see the desktop. Click on Start > Control Panel > Double-click on the Add or Remove Programs icon. Find the entry for SpyFalcon and double-click on it. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks. Delete the following files and folders (Do not be concerned if this folder does not exist):C:\Windows\System32\dxmpp.dll <-- File C:\Windows\System32\ginuerep.dll <-- File C:\Program Files\SpyFalcon\ <-- Folder Close all Windows. Step 3: Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. If there is an uninstaller present for an infection that smitRem removes it will start this uninstaller. Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue. Wait for the tool to complete and Disk Cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Step 4: Reboot your system back into Normal Mode and perform an online scan with Panda ActiveScanOnce you are on the Panda site click the Scan your PC button. A new window will open...click the Check Now button.Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When the download is complete, click on Local Disks to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the Panda ActiveScan report, along with a new HijackThis Log, the contents of smitfiles.txt by using Add Reply. Regards, Trevuren
  12. Please updating your Java and Clear the Java Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. It will say "Java Plug-in" under the icon.Please find the update button or tab in the Java Control Panel. Update your Java then reboot. If you are unable to update you can manually update by going here:http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded AppletsDownloaded Applications Other Files Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations. Trevuren
  13. Before you get into more trouble please start to use an AntiVirus program and a software Firewall. AVG7 Free is an excellent free antivirus which can be downloaded from the link that I will provide you with below. After downloading the program, make sure you update its definitions and configure it to run properly. AVG Free AntiVirus In addition, I STRONGLY recommend you use a software firewall that blocks both unwanted incoming and outgoing traffic. ZoneAlarm is a free one that I use and it has served me well. You can download the FREE firewall from the link below. Zone ALarm Free Firewall Trevuren
  14. Stay away from P2P sharing of illegal software and music etc.... Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Re-hide your System Files and Folders to prevent any future accidents. Reconfigure Windows XP to hide hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. 2. Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  15. We must disable Spy Sweeper for it may interfere with our fix To disable SpySweeper: Open SpySweeper, click >Options over to the left then >program options >Uncheck "load at windows startup". Over to the left, click "shields" and uncheck all there. Uncheck "home page shield". Uncheck 'automaticly restore default without notifiction Please disable Spywareguard. Double-click the red SG icon in your system tray. Click Options. Under General Uncheck all 3 options, then click "Save Settings" Close Spywareguard. Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: O4 - HKLM\..\Run: [LocalProxy] C:\Program Files\LocalProxy\proxy4free.exe O20 - Winlogon Notify: winwrv32 - winwrv32.dll (file missing) Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of. Regards, Trevuren
  16. A. Run ATF again and make sure that all browsers are cleared and all cookies removed B. 1. Please download The Avenger by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop 2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Files to Delete: C:\Documents and Settings\Stacy Williams\Local Settings\Temporary Internet Files\Ssk.log C:\RECYCLER\S-1-5-21-1409082233-842925246-725345543-500\Dc1\stopAds.exe C:\RECYCLER\S-1-5-21-1409082233-842925246-725345543-500\Dc3\direct.exe C:\RECYCLER\S-1-5-21-1409082233-842925246-725345543-500\Dc3\dsb.exe C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx C:\WINDOWS\Temp\hadniind.exe C:\WINDOWS\Temp\kgbodjnd.exe C:\WINDOWS\winsysupd71.dat C:\WINDOWS\SYSTEM32\winwrv32.dll Folders to delete: C:\Program Files\LocalProxy Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 3. Now, start The Avenger program by clicking on its icon on your desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which will open a new window titled "View/edit script" Paste the text copied to clipboard into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger will automatically do the following:It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. 5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply Regards, Trevuren
  17. Please run ActiveScan gain and post the results. We have to make sure that nothing is left. Trevuren
  18. Yes please. We'll get it another way after your current set of deletions and after you have posted a fresh HJT log. Trevuren
  19. Right click on the file, choose Properties and make sure that NO boxes are checked in the Attributes section. Then try. Trevuren
  20. We must disable Spy Sweeper for it may interfere with our fix To disable SpySweeper: Open SpySweeper, click >Options over to the left then >program options >Uncheck "load at windows startup". Over to the left, click "shields" and uncheck all there. Uncheck "home page shield". Uncheck 'automaticly restore default without notifiction Please disable Spywareguard. Double-click the red SG icon in your system tray. Click Options. Under General Uncheck all 3 options, then click "Save Settings" Close Spywareguard. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe O4 - HKLM\..\Run: [DSB] C:\Program Files\DSB\dsb.exe O4 - HKCU\..\Run: [wzik] C:\PROGRA~1\COMMON~1\wzik\wzikm.exe O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Stacy Williams\Local Settings\Temp\{8A0D0720-5780-49D6-86DC-3D10C2F6062A}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O20 - Winlogon Notify: winwrv32 - C:\WINDOWS\SYSTEM32\winwrv32.dll Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present): C:\Program Files\AdsBlocker<==Folder and all its content C:\Program Files\Viewpoint<==Folder and all its content C:\Program Files\DSB<==Folder and all its cntent C:\PROGRAM FIKES\COMMON FILES\wzik<==Folder and content C:\Documents and Settings\Stacy Williams\Local Settings\Temp\{8A0D0720-5780-49D6-86DC-3D10C2F6062A}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe C:\WINDOWS\SYSTEM32\winwrv32.dll C:\Documents and Settings\Guest\Cookies\[email protected][2].txt C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\1TQK91X3<==Folder and content C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\ALUKQSXK<==Folder and content C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\JT809W1K<==Folder and content C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\K3EFUQ40<==Folder and content C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\YQ335SZ3<==Folder and content C:\Documents and Settings\Stacy Williams\Local Settings\Temp\Temporary Internet Files\Content.IE5\O5ARWTYF<==Folder and content C:\Documents and Settings\Stacy Williams\Local Settings\Temporary Internet Files\Ssk.log C:\NNSCAA638.EXE C:\Program Files\Common Files\WinAntiVirus Pro 2006<==Folder and content C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx C:\WINDOWS\NDNuninstall6_38-1.exe C:\WINDOWS\NDNuninstall7_22.exe C:\WINDOWS\system32\dmm.exe C:\WINDOWS\system32\oins.exe C:\WINDOWS\system32\p2pnetworking.exe C:\WINDOWS\Temp\DelA078.tmp C:\WINDOWS\Temp\foheflnd.exe C:\WINDOWS\Temp\win135C.tmp.exe Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. Regards, Trevuren
  21. Now, please post a fresh HJT log and we will see if we can finish this soon. Trevuren
  22. Did you run ATF cleaner as requested somewhere among those posts? Trevuren
  23. It may be easier to delete the following folder and all its content: C:\Documents and Settings\Stacy Williams\Complete
  24. Your whole system has been contaminated by a worm. I strongly believe it is from all that junk that you downloaded through LIMEWIRE. 1. First, get rid of LIMEWIRE through Add/Remove Programs 2. All the music .zip files and every other file indicated as being infected must also be deleted. (For a full list, just go through the list you sent and delete them. 3. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Now reboot your system after the ALL the deletions and cookie cleanup and please post a fresh HJT log. We will then have you run the scans again to see what remains. Trevuren
×
×
  • Create New...