Jump to content

Trevuren

Trusted Malware Techs
  • Content Count

    246
  • Joined

  • Last visited

Everything posted by Trevuren

  1. Please post them both using several replies if necessary. Please remember to identify them so I don't get confused. There must have been alot of junk removed and maybe a lot more to go. I have to find out what exactly is going on here. Thanks, Trevuren
  2. This will take care of them: Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Re-hide your System Files and Folders to prevent any future accidents. Reconfigure Windows XP to hide hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. 2. Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  3. You have to get rid of the following infected items: E:\Downloaded Checked\PROGS\CUBASE SX 3.0 (dongle emulator crack for Steinberg Cubase SX v3.0 DVDRip.md/dongle emulator crack/dongle emulator crack.rar/dongle emulator crack/emulator dongle sx3.rar/emulator dongle sx3/emulator cubase sx 3.zip/SpyAnytime.PC.Spy.v2.42.WinALL.Regged-CHiCNCREAM/sapcspy.exe Infected: Trojan-Dropper.Win32.Small.mt skipped E:\Downloaded Checked\PROGS\CUBASE SX 3.0 (dongle emulator crack for Steinberg Cubase SX v3.0 DVDRip.md/dongle emulator crack/dongle emulator crack.rar/dongle emulator crack/emulator dongle sx3.rar/emulator dongle sx3/emulator cubase sx 3.zip Infected: Trojan-Dropper.Win32.Small.mt skipped E:\Downloaded Checked\PROGS\CUBASE SX 3.0 (dongle emulator crack for Steinberg Cubase SX v3.0 DVDRip.md/dongle emulator crack/dongle emulator crack.rar/dongle emulator crack/emulator dongle sx3.rar Infected: Trojan-Dropper.Win32.Small.mt skipped E:\Downloaded Checked\PROGS\CUBASE SX 3.0 (dongle emulator crack for Steinberg Cubase SX v3.0 DVDRip.md/dongle emulator crack/dongle emulator crack.rar Infected: Trojan-Dropper.Win32.Small.mt skipped E:\Downloaded Checked\PROGS\CUBASE SX 3.0 (dongle emulator crack for Steinberg Cubase SX v3.0 DVDRip.md RAR: infected - 4 skipped It is not surprising that you are having problems with your system. Crack/Keygen sites are notorious for providing infected material. In addition it is against the law in most countries to infringe upon copywright laws by using illegally obtained software. Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures and recommendations. Trevuren
  4. Please download WebRoot SpySweeper from HERE (It's a 14-day trial): Click Download Now to download the program. Install it. Once the program is installed, it will open. It will prompt you to update to the latest definitions, click Yes. Once the definitions are installed, click Options on the left side. Click the Sweep Options tab. Under What to Sweep please put a check next to the following: Sweep Memory Sweep Registry Sweep CookiesSweep All User AccountsEnable Direct Disk SweepingSweep Contents of Compressed FilesSweep for RootkitsPlease UNCHECK Do not Sweep System Restore Folder.Click Sweep Now on the left side.Click the Start button.When it's done scanning, click the Next button.Make sure everything has a check next to it, then click the Next button.It will remove all of the items found.Click Session Log in the upper right corner, copy everything in that window.Click the Summary tab and click Finish.Paste the contents of the session log you copied into your next reply along with a fresh HJT log.Regards, Trevuren
  5. Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = <a href="http://www.accoona.com/search?q=%s" target="_blank">http://www.accoona.com/search?q=%s</a> R3 - Default URLSearchHook is missing O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll (file missing) O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing) Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of. Now, just to make sue your system is totally clean: Please do an online scan with Kaspersky Online Virus Scanner Next Click on Free Virus Scanner, then Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected:Scan using the following Anti-Virus database:Standard Scan Options:Scan ArchivesScan Mail Bases Click OK Now under select a target to scan:Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information into your next post. Regards Trevuren
  6. Hi clonesheep and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. Please follow the instructions provided, you may want to print out these instructions and use them as a reference. Please download ewido security suite it is a trial version of the program.Install ewido security suite When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido, there should be an icon on your desktop double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files.On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. Once the updates are installed do the following:Click on scanner Click on Complete System Scan and the scan will begin. Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report Save the report to your desktop Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply Regards, Trevuren
  7. Please disable Windows Defender for it may interfere with some of the changes we need to make: Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: O4 - HKLM\..\Run: [lich] lich.exe O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present): C:\WINDOWS\system32\intell321.exe C:\Program Files\AlfaCleaner<==Folder and content lich.exe<==You may have to do a search for this one. Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. Regards, Trevuren
  8. A. Please provide a list of uninstallable programs. To Provide a List of Installed Programs Run HijackThis. Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List Save list to Desktop Copy the Notepad list and Paste it into this thread. B. Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. C. Please dont' forget the log from Active Scan. D. Please post a fresh HJT log for review. Regards, Trevuren
  9. * Click here to download Brute Force Uninstaller (bfu.zip) and save it to your C:\ drive. Next you must unzip the bfu.zip file to its own folder on C:\ so that the path to it is C:\BFU. The file path must be C:\BFU for the removal to work. * Next download the alcanshorty.bfu script and save it to the C:\BFU folder. RIGHT-CLICK HERE and choose "Save As" (in Internet Explorer it's "Save Target As") to download alcanshorty.bfu. Save it in the C:\BFU folder you made earlier Start the Brute Force Uninstaller by doubleclicking the BFU.exe in the C:\BFU folder. In the scriptline to execute copy and paste this line: c:\bfu\alcanshorty.bfu Press execute and let it run. Wait for the complete script execution box to popup and press OK. Press exit to terminate the BFU program. * Run ActiveScan online virus scan here When the scan is finished, save the results from the scan! Post a new HiJackThis log along with the results from ActiveScan Trevuren
  10. Hi gman02 and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. 1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06. Download Ad-Aware SE Personal 1.06:Download Ad-Aware SE Personal 1.06. Save aawsepersonal.exe to a convenient location. Install Ad-Aware SE Personal 1.06:Double-click on aawsepersonal.exe to install the program. Follow the default settings for installation. After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes. Update Ad-Aware SE Personal 1.06:Double-click the Ad-Aware SE Personal icon on your desktop. Click "Check for updates now" then click "Connect". It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish". Configure Ad-Aware SE Personal 1.06:Click on the Gear button at the top of the window. Click "General" on the left hand side to display the General Settings box.Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Automatically save logfile" "Automatically quarantine objects prior to removal" "Safe Mode (always request confirmation)" "Prompt to update outdated definitions" - change to 7 days from the default 14. Click "Scanning" on the left hand side to display the Scan Settings box.Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Scan within archives" "Select drives & folders to scan" - select your hard drive(s). "Scan active processes" "Scan registry" "Deep-scan registry" "Scan my IE favorites for banned URLs" "Scan my Hosts file" Click "Advanced" on the left hand side to display the Advanced Settings box.Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Move deleted files to Recycle Bin" "Include additional object information" "Include negligible objects information" "Include environment information" Click "Defaults" on the left hand side to display the Default Settings box.Make sure these items have your preferred settings in them.: "Default homepage" "Default searchpage" Click "Tweak" on the left hand side to display the Tweak Settings box.Click the + (plus) sign next to the Log Files section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Include basic Ad-Aware settings in log file" "Include additional Ad-Aware settings in log file" "Include reference summary in log file" "Include alternate data stream details in log file" Click the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Unload recognized processes & modules during scan" "Scan registry for all users instead of current user only" "Obtain command line of scanned processes" Click the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:"Always try to unload modules before deletion" "During removal, unload Explorer and IE if necessary" "Let Windows remove files in use at next reboot" "Delete quarantined objects after restoring" Once you are done with these settings, click "Proceed" to save them. This will take you back to the main screen. Run Ad-Aware SE Personal 1.06:Click the "Start" button. Uncheck the "Search for negligible risk entries" entry. Choose the "Use custom scanning options" scan mode. Click the "Next" button. Ad-Aware will begin to scan for malware residing on your computer. Allow the scan to finish. Right-click on any entry in the list and click "Select All" to select the whole list. Click "Next" and choose "OK" at the prompt to quarantine and remove the objects. 2. Please follow the instructions provided, you may want to print out these instructions and use them as a reference. Please download ewido security suite it is a trial version of the program.Install ewido security suite When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido, there should be an icon on your desktop double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files.On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. Once the updates are installed do the following:REBOOT into Safe Mode Run EWIDO Click on scanner Click on Start Scan Let the program scan the machine While the scan is in progress you will be prompted to clean files, click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report Save the report to your desktop Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply Regards, Trevuren
  11. Hi ew1075 and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Regards, Trevuren
  12. User has requested help from another forum about the same matter and has been sent an initial response; See: http://www.geekstogo.com/forum/index.php?s...60entry582560 Topic has been closed Trevuren
  13. Hi gpsimkin, welcome to PC Pitstop My name is Trevuren and I will be helping you with your log. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1. I want you to UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel: ISTsvc 180 Solutions 2. Now, using Windows Explorer, I need you to DELETE the following folder(s) and all their content: C:\Program Files\ISTsvc c:\program files\180solutions 3. REBOOT your system 4. Please download ewido security suite it is a trial version of the program. Install ewido security suite Launch ewido, there should be an icon on your desktop double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files.On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed.Once the updates are installed do the following: Click on scanner Make sure the following boxes are checked before scanning: Binder Crypter ArchivesClick on Start ScanLet the program scan the machineWhile the scan is in progress you will be prompted to clean files, click OK Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report Save the report to your desktop 5. Reboot your system 6. Post back a new HJT log and the ewido .txt log file you saved by using Add Reply Regards, Trevuren
  14. This post is closed due to lack of activity. Should the originator wish to have the thread reopened, please contact an administrator. Trevuren
  15. This post is closed due to lack of activity. Should the originator wish to have the thread reopened, please contact an administrator. Trevuren
  16. Hi bigrig, Sorry to see that our attempt hasn't worked out. Unfortunately I must advise you that I will no longer be treating your problem but don't worry, a member of the senior staff will be along to help you out. I sincerely wish I could have got you clean sooner but this is not a regular infection and apparently is beyond my level of expertise. Regards, Trevuren
  17. Hi Quantum5, My name is Trevuren and welcome to PCPitstop Just a little bit of malware to remove and you will be on your way. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) *choose to "show hidden files and folders," *uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. *Close the window with ok *All hidden files will now be visible Close all browser windows and RUN HijackThis. . Click the SCAN button to produce a log. Place a check mark beside each one of the following items: O2 - BHO: TChkBHO Class - {17D41802-CAE4-4041-A6C1-9EF67C9C26E7} - C:\WINDOWS\SYSTEM32\txekembn.dll O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2560a5421b61db...ip/RdxIE601.cab Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode *Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. Using Windows Explorer, locate the following file, and DELETE it (if it is still present): C:\WINDOWS\SYSTEM32\txekembn.dll Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now. Regards, Trevuren
  18. Hi Titus, I admire your perseverance. You actually got rid of a lot of bad stuff that time. We will give it another go with a slight twist this time. Ready? Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. The programs you will need have alresdy been downloaded so that will save you a lot of time. 1. Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen. Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Don't scan yet. We will do it in safe mode. Ensure hidden files and folders are set to show Unzip XPHidden.Zip and extract the reg file to your desktop. Double click on the file. When prompted as to whether you want to merge this file with the registry, answer YES. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called <Service: Network Security Service ( 11Fßä#·ºÄÖ`I)>. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Please disconnect from the Internet and unplug your modem for the duration of this fix Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items. Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button. Bring up task manager Ctrl-Alt-Del and end these processes, if they are present C:\WINDOWS\msav32.exe C:\WINDOWS\appyx32.exe Now find and delete these files, if you can't find one then don't worry.. just move on to the next one. C:\WINDOWS\msav32.exe C:\WINDOWS\appyx32.exe C:\WINDOWS\yxeuk.dll C:\WINDOWS\netjm.dll C:\WINDOWS\addxv32.exe Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked' R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yxeuk.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yxeuk.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yxeuk.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yxeuk.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yxeuk.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yxeuk.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yxeuk.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {94EDA710-BB36-72A8-38B1-FBB4D78789FE} - C:\WINDOWS\netjm.dll O4 - HKLM\..\Run: [addxv32.exe] C:\WINDOWS\addxv32.exe O4 - HKLM\..\Run: [appyx32.exe] C:\WINDOWS\appyx32.exe O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\msav32.exe" /s (file missing) The following step is important as you may have several malware files in your temp directories. Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply. Copy the contents of the Quote Box below to Notepad. Name the file as fix.reg Change the Save as Type to All Files and Save it on the desktop Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Scan with Adaware by opening it and clicking the "Next" button to start the scan. When the scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Now reboot,and run hijackthis again and post a fresh log along with the about buster log Regards, Trevuren.
  19. Me again, A highly respected specialist on another board is about to try an older manual and compplicated fix on the case that is similar to yours. I am following the case very closely. It may save our bacon Take care my friend Trevuren
  20. Hi bigrig, Your infection is still out of controle and will remain that way. It is not your fault. It is relatively new and we are now trying to come up with a way to cure it. Can't tell you when that will be though. Here are your options: 1. Wait until we can find a cure that the normal individual can do 2. Reformat your hard drive. I would wait a day or so if possible and check in. I am hoping to give you a bit of hope. Regards, Trevuren
  21. Hi bigrig, Well it appears that it is nearly impossible to controle this infection of yours with the means at our disposal. We will give it 1 more BIG try and if it doesn't work, after consultation with my colleagues, I will have to recommend a REFORMAT of your drive. Remember, please do not use the internet other than to communicate with me. When you do use the net, use Mozilla only Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1. Download XPHidden.Zip from HERE. Unzip the file BUT DO NOT USE IT YET. 2. Pull the plug on your internet connection until the fix is completed.. 3. You already have all the downloads so we can skip that part Open Ad-Aware Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Don't scan yet. We will do it in safe mode. Ensure hidden files and folders are set to show; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called <Service: Remote Procedure Call (RPC) Helper >. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Now unzip the file that I had you download:XPHidden.Zip and run the program. This is a special program to unhide very special files Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items. Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button. Bring up task manager Ctrl-Alt-Del and end these processes, if they are present C:\WINDOWS\addxv32.exe C:\WINDOWS\system32\ntlq.exe Now find and delete these files, if they are present: C:\WINDOWS\addxv32.exe C:\WINDOWS\system32\ntlq.exe C:\WINDOWS\system32\clalb.dll C:\WINDOWS\netoq32.dll C:\WINDOWS\crao.dll C:\WINDOWS\system32\javanv32.dll C:\WINDOWS\system32\d3cx.dll C:\WINDOWS\addvt.dll C:\WINDOWS\system32\netqr32.dll C:\WINDOWS\system32\msgw.exe C:\WINDOWS\atlwu32.exe C:\WINDOWS\ntpq.exe C:\WINDOWS\system32\iezx.exe C:\WINDOWS\d3ge32.exe C:\WINDOWS\apimd.exe C:\WINDOWS\appqh32.exe C:\WINDOWS\netby.exe C:\WINDOWS\system32\sdkvv32.exe C:\WINDOWS\ipnh32.exe C:\WINDOWS\system32\ipce32.exe C:\WINDOWS\atlwu32.exe Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked' R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\clalb.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clalb.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\clalb.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\clalb.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\clalb.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\clalb.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\clalb.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {09207CE5-BD48-226E-8BA1-3964BEC3C523} - C:\WINDOWS\addxv32.dll O2 - BHO: Class - {0F1C73A3-D00A-5B50-277B-29E122FC2D80} - C:\WINDOWS\netoq32.dll O2 - BHO: Class - {6037F97A-04E3-7C3C-FBD9-0C131CA3DF82} - C:\WINDOWS\crao.dll O2 - BHO: Class - {62339B5F-FF78-9E4F-91EB-D791EAC20279} - C:\WINDOWS\system32\javanv32.dll O2 - BHO: Class - {7359F8C5-7626-32C9-DA3E-ECDBA6CDF831} - C:\WINDOWS\system32\d3cx.dll O2 - BHO: Class - {E8A9E4E1-61A2-BCEA-4EC3-0DEFD026EDE5} - C:\WINDOWS\addvt.dll O2 - BHO: Class - {F72B1F16-5DA1-0CE7-8A46-761D0FBCADC7} - C:\WINDOWS\system32\netqr32.dll O4 - HKLM\..\Run: [msgw.exe] C:\WINDOWS\system32\msgw.exe O4 - HKLM\..\Run: [addxv32.exe] C:\WINDOWS\addxv32.exe O4 - HKLM\..\RunOnce: [atlwu32.exe] C:\WINDOWS\atlwu32.exe O4 - HKLM\..\RunOnce: [ntpq.exe] C:\WINDOWS\ntpq.exe O4 - HKLM\..\RunOnce: [iezx.exe] C:\WINDOWS\system32\iezx.exe O4 - HKLM\..\RunOnce: [d3ge32.exe] C:\WINDOWS\d3ge32.exe O4 - HKLM\..\RunOnce: [apimd.exe] C:\WINDOWS\apimd.exe O4 - HKLM\..\RunOnce: [appqh32.exe] C:\WINDOWS\appqh32.exe O4 - HKLM\..\RunOnce: [netby.exe] C:\WINDOWS\netby.exe O4 - HKLM\..\RunOnce: [sdkvv32.exe] C:\WINDOWS\system32\sdkvv32.exe O4 - HKLM\..\RunOnce: [ipnh32.exe] C:\WINDOWS\ipnh32.exe O4 - HKLM\..\RunOnce: [ipce32.exe] C:\WINDOWS\system32\ipce32.exe O4 - HKLM\..\RunOnce: [ntlq.exe] C:\WINDOWS\system32\ntlq.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\atlwu32.exe" /s (file missing) The following step is important as you may have several malware files in your temp directories. Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply. Scan with Adaware by opening it and clicking the "Next" button to start the scan. When the scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Now reboot, and run hijackthis again and post a fresh log along with the about buster log Regards, Trevuren.
  22. Hi bigrig, I just got another case like this tonight on another site. This could turn out to be a long couple of weeks for everybody. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes. Open Microsoft AntiSpyware. Click on Tools, Settings. In the left pane, click on Real-time Protection. Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended). Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended). After you uncheck these, click on the Save button and close Microsoft AntiSpyware. Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware ----------------------------------------- You have these downloads so don't download them again. Pull the plug on your internet after printing out these pages First of all I need you to download some programs for use later. Do not use any of them until instructed to do do. 1. Download cwsserviceremove.zip and unzip it to your desktop 2. Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet 3. Download CWShredder from here, install it, check for updates but again, don't use it yet. 4. Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step. Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen. Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Don't scan yet. We will do it in safe mode. Ensure hidden files and folders are set to show; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called <Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I)>. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions. Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items. Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button. Bring up task manager Ctrl-Alt-Del and end these processes, if they are present C:\WINDOWS\system32\msgw.exe Now find and delete these files, if you can't find one then don't worry.. just move on to the next one. C:\WINDOWS\system32\msgw.exe C:\WINDOWS\system32\wawea.dll C:\WINDOWS\msej.dll C:\WINDOWS\system32\iepc.exe C:\WINDOWS\sdksx.exe C:\WINDOWS\system32\sysjk32.exe C:\WINDOWS\d3mi32.exe C:\WINDOWS\nttr32.exe C:\WINDOWS\system32\mfctk32.exe C:\Program Files\I8kfanGUI<<<Folder Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked' R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wawea.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wawea.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wawea.dll/sp.ht R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wawea.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wawea.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wawea.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wawea.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {F1C42DB1-6A20-CE33-C14A-D483F27B1A0D} - C:\WINDOWS\msej.dll O4 - HKLM\..\Run: [msgw.exe] C:\WINDOWS\system32\msgw.exe O4 - HKLM\..\RunOnce: [iepc.exe] C:\WINDOWS\system32\iepc.exe O4 - HKLM\..\RunOnce: [sdksx.exe] C:\WINDOWS\sdksx.exe O4 - HKLM\..\RunOnce: [sysjk32.exe] C:\WINDOWS\system32\sysjk32.exe O4 - HKLM\..\RunOnce: [d3mi32.exe] C:\WINDOWS\d3mi32.exe O4 - HKLM\..\RunOnce: [nttr32.exe] C:\WINDOWS\nttr32.exe O4 - HKLM\..\RunOnce: [mfctk32.exe] C:\WINDOWS\system32\mfctk32.exe O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\i8kfangui.exe /startup O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\iepc.exe" /s (file missing) The following step is important as you may have several malware files in your temp directories. Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply. Scan with Adaware by opening it and clicking the "Next" button to start the scan. When the scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Now reboot,and run hijackthis again and post a fresh log along with the about buster log (Remember to use Mozilla Browser) Regards, Trevuren.
  23. Hi bigrig, Sorry for the delay in getting back to you on this. We are having trouble with the server and, frankly, I was also trying to get some advice on your case. Here is the info I received: "it's going to be next to impossible to fix this infection if he still uses the net. Everytime he connects, the infection will morph. Have him download Mozilla, then tell him to disconnect from the net until you have him cleaned up. Mozilla is for downloading other tools in case they are needed...that way IE won't attract more garbage" Well so this is what we are going to do: 1. Download Mozilla or Firefox. 2. Send me a log 3. I send you a fix 4. you disconnect completely from the internet and do the fix. 5. You send fixed log back through Firefox. 6. All downloads are done through Firefox and you must stay off the net unless talking to me. So go get your FireFox(free) and send me a fresh log. Regards, Trevuren
  24. Hi desecrate_me, I am just wondering how your system is running? I would appreciate another HJT log to finish the cleanup of your system. If you no longer require our services, please inform us so we can close the thread. Regards, Trevuren
×
×
  • Create New...