Jump to content

Trevuren

Trusted Malware Techs
  • Content Count

    246
  • Joined

  • Last visited

Everything posted by Trevuren

  1. Hi bigrig, What part of the instructions are giving you problems? There is a problem because after two attempts, there is no apparent change. Please fell free to tell me if there are procedures that you don't understand. Regards, Trevuren
  2. Hi bigrig, 1. To remove the double spacing in your log, please do the following: .Please go to Start - Run... and type notepad.exe .Hit OK. .Now go to Format and uncheck WordWrap. .Close Notepad. 2. Please post a fresh log Regards, Trevuren
  3. Hi bigrig, We have to redo some of this. We didn't manage to break its back. When you run AboutBuster later on, run it until it says that it didn't find much Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First of all I need you to download some programs for use later. Do not use any of them until instructed to do do. 1. Download cwsserviceremove.zip and unzip it to your desktop 2. Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet 3. Download CWShredder from here, install it, check for updates but again, don't use it yet. 4. Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step. Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen. Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Don't scan yet. We will do it in safe mode. Ensure hidden files and folders are set to show; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called <Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I)>. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Please disconnect from the Internet and unplug your modem for the duration of this fix Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items. Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button. Now find and delete these files, if you can't find one then don't worry.. just move on to the next one. C:\WINDOWS\system32\dwpee.dll C:\WINDOWS\system32\d3xq.dll C:\WINDOWS\system32\sdkfs.exe C:\WINDOWS\apink32.exe C:\WINDOWS\ipvv.exe C:\WINDOWS\appci32.exe C:\WINDOWS\system32\atlxh.exe C:\WINDOWS\ntjr.exe C:\WINDOWS\atlxk.exe C:\WINDOWS\addvn.exe C:\WINDOWS\system32\appbb32.exe C:\WINDOWS\system32\msip.exe C:\WINDOWS\addnh.exe C:\WINDOWS\system32\mfcgg.exe C:\WINDOWS\system32\netul.exe C:\WINDOWS\ieuq.exe C:\WINDOWS\netlf.exe C:\WINDOWS\d3vl32.exe C:\WINDOWS\netxc.exe C:\WINDOWS\appij32.exe C:\WINDOWS\system32\winln32.exe C:\WINDOWS\system32\ntuj.exe C:\WINDOWS\system32\ipdj.exe C:\WINDOWS\system32\sdkfs.exe Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked' R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dwpee.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dwpee.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dwpee.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dwpee.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dwpee.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dwpee.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dwpee.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: Class - {EB67DBE2-B4C0-BCE6-089D-45388C69B86C} - C:\WINDOWS\system32\d3xq.dll O4 - HKLM\..\RunOnce: [sdkfs.exe] C:\WINDOWS\system32\sdkfs.exe O4 - HKLM\..\RunOnce: [apink32.exe] C:\WINDOWS\apink32.exe O4 - HKLM\..\RunOnce: [ipvv.exe] C:\WINDOWS\ipvv.exe O4 - HKLM\..\RunOnce: [appci32.exe] C:\WINDOWS\appci32.exe O4 - HKLM\..\RunOnce: [atlxh.exe] C:\WINDOWS\system32\atlxh.exe O4 - HKLM\..\RunOnce: [ntjr.exe] C:\WINDOWS\ntjr.exe O4 - HKLM\..\RunOnce: [atlxk.exe] C:\WINDOWS\atlxk.exe O4 - HKLM\..\RunOnce: [addvn.exe] C:\WINDOWS\addvn.exe O4 - HKLM\..\RunOnce: [appbb32.exe] C:\WINDOWS\system32\appbb32.exe O4 - HKLM\..\RunOnce: [msip.exe] C:\WINDOWS\system32\msip.exe O4 - HKLM\..\RunOnce: [addnh.exe] C:\WINDOWS\addnh.exe O4 - HKLM\..\RunOnce: [mfcgg.exe] C:\WINDOWS\system32\mfcgg.exe O4 - HKLM\..\RunOnce: [netul.exe] C:\WINDOWS\system32\netul.exe O4 - HKLM\..\RunOnce: [ieuq.exe] C:\WINDOWS\ieuq.exe O4 - HKLM\..\RunOnce: [netlf.exe] C:\WINDOWS\netlf.exe O4 - HKLM\..\RunOnce: [d3vl32.exe] C:\WINDOWS\d3vl32.exe O4 - HKLM\..\RunOnce: [netxc.exe] C:\WINDOWS\netxc.exe O4 - HKLM\..\RunOnce: [appij32.exe] C:\WINDOWS\appij32.exe O4 - HKLM\..\RunOnce: [winln32.exe] C:\WINDOWS\system32\winln32.exe O4 - HKLM\..\RunOnce: [ntuj.exe] C:\WINDOWS\system32\ntuj.exe O4 - HKLM\..\RunOnce: [ipdj.exe] C:\WINDOWS\system32\ipdj.exe O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkfs.exe" /s (file missing) The following step is important as you may have several malware files in your temp directories. Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply. Scan with Adaware by opening it and clicking the "Next" button to start the scan. When the scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Now reboot,and run hijackthis again and post a fresh log along with the about buster log Regards, Trevuren.
  4. Hi bigrig, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First of all I need you to download some programs for use later. Do not use any of them until instructed to do do. 1. Download cwsserviceremove.zip and unzip it to your desktop 2. Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet 3. Download CWShredder from here, install it, check for updates but again, don't use it yet. 4. Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step. Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen. Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Don't scan yet. We will do it in safe mode. Ensure hidden files and folders are set to show; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called <Network Security Service ( 11Fßä#·ºÄÖ`I)>. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions. Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items. Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button. Bring up task manager Ctrl-Alt-Del and end these processes, if they are present C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe C:\WINDOWS\ipuv32.exe Now find and delete these files/folders (with all their content), if you can't find one then don't worry.. just move on to the next one. C:\Program Files\WildTangent<<<Folder C:\WINDOWS\ipuv32.exe C:\WINDOWS\system32\wtfzi.dll C:\WINDOWS\system32\netkb32.dll C:\WINDOWS\crwq.exe C:\WINDOWS\mfceo32.exe C:\WINDOWS\netst32.exe C:\WINDOWS\system32\sdkii32.exe C:\WINDOWS\system32\mfcoc.exe C:\WINDOWS\system32\ierv32.exe C:\WINDOWS\system32\apinv32.exe C:\WINDOWS\wincg32.exe C:\WINDOWS\ipgq.exe C:\WINDOWS\crks.exe C:\WINDOWS\system32\javaex.exe C:\WINDOWS\system32\sysgi32.exe C:\WINDOWS\system32\ipnl32.exe C:\WINDOWS\system32\d3vx32.exe C:\WINDOWS\system32\ipex.exe C:\WINDOWS\system32\iequ32.exe C:\WINDOWS\apiza.exe C:\WINDOWS\system32\sysfu32.exe C:\WINDOWS\ntfc.exe C:\WINDOWS\system32\d3hv.exe C:\WINDOWS\system32\netko32.exe C:\WINDOWS\sdkwm.exe C:\WINDOWS\apito32.exe C:\WINDOWS\sysyq32.exe C:\WINDOWS\sdkni.exe C:\WINDOWS\iegf.exe C:\WINDOWS\iprs.exe C:\WINDOWS\addwm.exe C:\WINDOWS\system32\d3gf32.exe C:\WINDOWS\ipmh.exe C:\WINDOWS\system32\winac.exe C:\WINDOWS\system32\ipji32.exe C:\WINDOWS\apibo32.exe C:\WINDOWS\crxy32.exe C:\WINDOWS\sdkah.exe C:\WINDOWS\system32\sysqv.exe Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked' R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wtfzi.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wtfzi.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wtfzi.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wtfzi.dll/sp.html#37049 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wtfzi.dll/sp.html#37049 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wtfzi.dll/sp.html#37049 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wtfzi.dll/sp.html#37049 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {9DD8538B-70C1-E876-7FC6-CF6EE85DC958} - C:\WINDOWS\system32\netkb32.dll O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [ipuv32.exe] C:\WINDOWS\ipuv32.exe O4 - HKLM\..\RunOnce: [crwq.exe] C:\WINDOWS\crwq.exe O4 - HKLM\..\RunOnce: [mfceo32.exe] C:\WINDOWS\mfceo32.exe O4 - HKLM\..\RunOnce: [netst32.exe] C:\WINDOWS\netst32.exe O4 - HKLM\..\RunOnce: [sdkii32.exe] C:\WINDOWS\system32\sdkii32.exe O4 - HKLM\..\RunOnce: [mfcoc.exe] C:\WINDOWS\system32\mfcoc.exe O4 - HKLM\..\RunOnce: [ierv32.exe] C:\WINDOWS\system32\ierv32.exe O4 - HKLM\..\RunOnce: [apinv32.exe] C:\WINDOWS\system32\apinv32.exe O4 - HKLM\..\RunOnce: [netxe32.exe] C:\WINDOWS\netxe32.exe O4 - HKLM\..\RunOnce: [wincg32.exe] C:\WINDOWS\wincg32.exe O4 - HKLM\..\RunOnce: [ipgq.exe] C:\WINDOWS\ipgq.exe O4 - HKLM\..\RunOnce: [crks.exe] C:\WINDOWS\crks.exe O4 - HKLM\..\RunOnce: [javaex.exe] C:\WINDOWS\system32\javaex.exe O4 - HKLM\..\RunOnce: [sysgi32.exe] C:\WINDOWS\system32\sysgi32.exe O4 - HKLM\..\RunOnce: [ipnl32.exe] C:\WINDOWS\system32\ipnl32.exe O4 - HKLM\..\RunOnce: [d3vx32.exe] C:\WINDOWS\system32\d3vx32.exe O4 - HKLM\..\RunOnce: [ipex.exe] C:\WINDOWS\system32\ipex.exe O4 - HKLM\..\RunOnce: [iequ32.exe] C:\WINDOWS\system32\iequ32.exe O4 - HKLM\..\RunOnce: [apiza.exe] C:\WINDOWS\apiza.exe O4 - HKLM\..\RunOnce: [sysfu32.exe] C:\WINDOWS\system32\sysfu32.exe O4 - HKLM\..\RunOnce: [ntfc.exe] C:\WINDOWS\ntfc.exe O4 - HKLM\..\RunOnce: [d3hv.exe] C:\WINDOWS\system32\d3hv.exe O4 - HKLM\..\RunOnce: [netko32.exe] C:\WINDOWS\system32\netko32.exe O4 - HKLM\..\RunOnce: [sdkwm.exe] C:\WINDOWS\sdkwm.exe O4 - HKLM\..\RunOnce: [apito32.exe] C:\WINDOWS\apito32.exe O4 - HKLM\..\RunOnce: [sysyq32.exe] C:\WINDOWS\sysyq32.exe O4 - HKLM\..\RunOnce: [sdkni.exe] C:\WINDOWS\sdkni.exe O4 - HKLM\..\RunOnce: [iegf.exe] C:\WINDOWS\iegf.exe O4 - HKLM\..\RunOnce: [iprs.exe] C:\WINDOWS\iprs.exe O4 - HKLM\..\RunOnce: [addwm.exe] C:\WINDOWS\addwm.exe O4 - HKLM\..\RunOnce: [d3gf32.exe] C:\WINDOWS\system32\d3gf32.exe O4 - HKLM\..\RunOnce: [ipmh.exe] C:\WINDOWS\ipmh.exe O4 - HKLM\..\RunOnce: [winac.exe] C:\WINDOWS\system32\winac.exe O4 - HKLM\..\RunOnce: [ipji32.exe] C:\WINDOWS\system32\ipji32.exe O4 - HKLM\..\RunOnce: [apibo32.exe] C:\WINDOWS\apibo32.exe O4 - HKLM\..\RunOnce: [crxy32.exe] C:\WINDOWS\crxy32.exe O4 - HKLM\..\RunOnce: [sdkah.exe] C:\WINDOWS\sdkah.exe O4 - HKLM\..\RunOnce: [sysqv.exe] C:\WINDOWS\system32\sysqv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/604485.exe O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ipex.exe The following step is important as you may have several malware files in your temp directories. Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply. Scan with Adaware by opening it and clicking the "Next" button to start the scan. When the scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Now reboot,and run hijackthis again and post a fresh log along with the about buster log Regards, Trevuren.
  5. Hi bigrig, welcome to PC Pitstop My name is Trevuren and I will be helping you with your log. 1. Please bookmark this page to make it easier to return here. 2. Please DELETE your current HJT program from its present location. 3. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process! A. Close ALL windows except HJT B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy') C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste') DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER Regards, Trevuren
  6. This thread is closed. If the original victim wishes it reopened please PM me and I will try to solve your problem Trevuren
  7. Hi desecrate_me, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Install it, and update the definitions to the newest files. Do NOT run a scan yet. Please download Nailfix from here: http://users.pandora.be/bluepatchy/nailfix.zip Unzip it to the desktop but please do NOT run it yet. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: http://www.pchell.com/support/safemode.shtml Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Then please run Ewido, and run a full scan. Post the log from the scan here for me. Then please run HijackThis, click Scan, and check: F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe Close all open windows except for HijackThis and click Fix Checked. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. Regards, Trevuren
  8. Hi desecrate_me, welcome to PC Pitstop My name is Trevuren and I will be helping you with your log. 1. Pleae DELETE your current version of HijackThis. 2. Next, download and run the HijackThis autoinstaller from HERE 3. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren
  9. Hi jatt, Please read this info and reset your main Search Page accordingly: Microsoft Then post your new log Regards, Trevuren
  10. Hi jatt, Before getting into Mozilla, have you tried manually resetting your homepage and search browser? Regards, Trevuren
  11. Hi jatt, Well no virus/trojans/malware. I guess we did our job. An expert suggested that we (What's this we?) you should try a complete UNINSTALL and REINSTALL of Mozilla with preferences and all. I think you have nothing to loose. It is that or a reformat. I would choose the Mozilla option first. Please advise me of your decision Regards, Trevuren
  12. Hi jatt, I have seen this work on another board. Please do everything in the same order. I know you are saying to yourself, "been there, done that..." but items 3 and 4 are different products than the ones you used before and often detect slightly different things. 1. Disable WinPatrol by right clicking the running icon of winpatrol, and choose exit. 2. Download CWShredder here to its own folder. Update and Run CWShredder * Open CWShredder and click I AGREE * Click Check For Update * Run CWShredder * Click I Agree, then Fix and then Next, let it fix everything it asks about. * Reboot your computer 3. Please run a free online virus scan here (tick the "Auto Clean" checkbox): http://housecall.antivirus.com/ Reboot your computer 4. And a free trojan scan here: http://www.moosoft.com/ Reboot your computer 5. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren
  13. Hi jatt7846, Well this is what we are going to do next: 1. Turn off WinPatrol completely. 2. Run HJT with all windows closed, click SCAN and put a checkmark beside the following entries: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost Then click Fix Checked and exit the program 2. Reboot your computer 3. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren
  14. Hi jatt, Glad to see that you got back safely. Everything looks fine except for your startpages. Run HJT with all windows closed and place a checkmark beside the following entries: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com When all items have been selected, click on Fix checked When finished, exit HijackThis. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren
  15. Administration This topic should be closed due to lack of activity. Trevuren
  16. Hi jatt7846, We will be repeating some thngs that we did before. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1. I want you to download CWShredder (the stand alone version is free). Run the program and click Check for Update. Make sure that all browser windows are closed with the exception of CWShredder and choose FIX. Here is the link: CWS Shredder REBOOT YOUR SYSTEM 2. Download and install a 14-day free version of Ewido Security Suite from:HERE. Update its definitions. RUN and perform a FULL SCAN with EWIDO. 3. REBOOT your system 4. Run HJT, SCAN, place a checkmark beside the following item, if present: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 Ckick on "Fix Checked" Reboot 5. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren
  17. Hi jatt, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1) Prior to do the following fix, Win Patrol must be turned off. Right click the running icon of winpatrol, and choose exit. Unless it is turned off it could interfere with the fix by hijackthis. Now let's do some work on your log: First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) *choose to "show hidden files and folders," *uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. *Close the window with ok *All hidden files will now be visible Close all browser windows and RUN HijackThis. . Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode *Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. Using Windows Explorer, locate the following files and DELETE it (if it is present): C:\WINDOWS\System32\drivers\CDAC11BA.EXE Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now. Regards, Trevuren
  18. Hi jatt, 1. Enter Task Manager by pressing CTRL+Alt+Del and end END Process on the following items: C:\WINDOWS\popuper.exe C:\WINDOWS\System32\msole32.exe C:\WINDOWS\System32\intmonp.exe 2. Make sure all hidden Files are showing like I have showed you before. 3. Reboot into Safe Mode as you have been shown to do 4. Delete the following files, if present: C:\WINDOWS\popuper.exe C:\WINDOWS\System32\msole32.exe C:\WINDOWS\System32\intmonp.exe 5. REBOOT your computer into Normal Mode Regards, Trevuren
  19. Hi coggley, I sincerely apologize for the lack of response from our end. There must have been a glitch in our e-mail delivery system. If you are still in need of assistance, please post a new log. If things are working well, please advise us so we can close the topic. Regards, Trevuren
  20. Hi jatt7846, To reformat and reinstall everything you need the original equipment or buy new software. For info you may want to consult with other forums at PCPitstop which are more knowledgeable than myself in these matters. Regards, Trevuren
  21. Hi jatt7846, In all the time I have been treating malware cases I have never told a victim to reformat his drive. Today is a first. I agree with you completely, whatever you have I can't get at so let's bite the bullet and reformat. I am going to give you some recommendations that I strongly suggest you follow as soon as you are up and running again to prevent this from happening again. I wish you all the best and it was a pleasure working with you. DON'T FORGET TO USE AN ANTIVIRUS AND A FIREWALL Here are some tips to reduce the potential for spyware infection in the future: I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  22. Hi jatt7846, Disable WinPatrol by Right clicking the running icon of winpatrol, and choose exit Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Download Killbox here: http://www.downloads.subratam.org/KillBox.exe and put it on your desktop Open Killbox Check the following boxes: Standard File Kill End Explorer Shell While Killing file Copy & paste the full path of each of the files below into the Killbox topmost box. C:\WINDOWS\SYSTEM32\Dwapilib.tlb: dwProvSpec2 C:\WINDOWS\analyzer.exe C:\WINDOWS\RMAgentOutput.dll With the full path to the file name in the topmost textbox, Click the Red X ...and for the confirmation message that will appear, you will need to click Yes Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them. When you are through the list, use killbox to delete the files you were not able to delete as follows: Open Killbox Check the following boxes: Delete on Reboot With the full path to the file name in the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet) Click yes on the last file. Note: Killbox will let you know if the file does not exist. After the reboot scan with hijackthis and fix the following if they are still listed R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 Reboot and Post a new hijackthis log Reset IE to accept cookies through Tools/Internet Options/Security in the IE taskbar Regards, Trevuren
  23. Hi jatt7846, Well here we are. I have 2 more things to investigate: one a hidden file, the other an 023 that is running on your system that is labeled as "questionable". We will try and locate any hidden bad files first. 1. Download the RKFiles.zip from here: http://skads.org/special/rkfiles.zip Create a new folder called c:\Antispyware\RKFiles Extract the contents of RKFiles.zip into this new RKFiles folder. Then, 2. Reboot into Safe Mode Restart and press the F8 key a few times after the BIOS loads -- the first thing you see when the pc "comes alive" and does its "self test" -- before windows loads). Open the C:\Antispyware\RKFiles folder * Locate and double-click the RKFILES.BAT to run this tool. * Sit back and wait untill its finished. * When it is finaly finished a text file will open. * Save the contents of that text file. Note: It should save by default to C:\Log.txt * Find this log, right-click and rename it RKFiles_log.txt so you can post it later. 3. Reboot back to Normal Mode. 4. Post the RKFiles log as well as a new hijackthis log. Regards, Trevuren
  24. Hi jatt4876, We got some more. Look no bad 020. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Download Killbox here: http://www.downloads.subratam.org/KillBox.exe and put it on your desktop Open Killbox Check the following boxes: Standard File Kill End Explorer Shell While Killing file Copy & paste the full path of the file below into the Killbox topmost box. C:\WINDOWS\System32\d3dei.dll With the full path to the file name in the topmost textbox, Click the Red X ...and for the confirmation message that will appear, you will need to click Yes It may not be deleted When you are through , use killbox to delete the file you were not able to delete as follows: Open Killbox Check the following boxes: Delete on Reboot With the full path to the file name in the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes A second message will ask to Reboot now? you will need to click YES Note: Killbox will let you know if the file does not exist. After the reboot scan with hijackthis and fix the following if they are still listed R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 Reboot and Post a new hijackthis log If the R1 entry is still present, repeat the above procedure a second time. They are often difficult to kill. Regards, Trevuren
×
×
  • Create New...