Jump to content

Trevuren

Trusted Malware Techs
  • Content Count

    246
  • Joined

  • Last visited

Everything posted by Trevuren

  1. HI jatt7846, Good to hear from you again. Again I wasn't advised of your response. There is a glitch somewhere. You have picked up a real nasty since the last time we spoke. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First of all I need you to download some programs for use later. Do not use any of them until instructed to do do. 1. Download cwsserviceremove.zip and unzip it to your desktop 2. Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet 3. Download CWShredder from here, install it, check for updates but again, don't use it yet. 4. Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step. Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen. Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark: Scan within archives Scan active processes Scan Registry Deep-scan Registry Scan my IE Favorites for banned URLs Scan my Hosts File Then click on the "Tweak" Button to open up the tweak settings. Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark: Scan registry for all users instead of current user only Make sure the following is unchecked with a "red" X: Unload recognized processes & modules during scan. Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark: Always try to unload modules before deletion During Removal, unload Explorer and IE if necessary Let Windows remove files in use at next reboot. Click the "Proceed" button to save settings. Don't scan yet. We will do it in safe mode. Ensure hidden files and folders are set to show; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called ( 11Fßä#·ºÄÖ`I). When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions. Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items. Then Open CWShredder that you downloaded in the first step. Close all browser windows and click on the fix/next button. Bring up task manager Ctrl-Alt-Del and end these processes, if they are present C:\WINDOWS\applr.exe C:\WINDOWS\system32\wincf.exe Now find and delete these files, if you can't find one then don't worry.. just move on to the next one. C:\WINDOWS\ytlri.dll C:\WINDOWS\ntiy32.dll C:\WINDOWS\applr.exe C:\WINDOWS\system32\wincf.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msbu32.exe Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked' R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytlri.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytlri.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ytlri.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ytlri.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ytlri.dll/sp.html#12345 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ytlri.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ytlri.dll/sp.html#12345 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {C00A9344-3738-44F8-F571-9291F322B905} - C:\WINDOWS\ntiy32.dll O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [applr.exe] C:\WINDOWS\applr.exe O4 - HKLM\..\RunOnce: [wincf.exe] C:\WINDOWS\system32\wincf.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msbu32.exe (file missing) The following step is important as you may have several malware files in your temp directories. Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply. Scan with Adaware by opening it and clicking the "Next" button to start the scan. When the scan is completed the Performing System Scan screen will change name to "Scan Complete". Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries. To fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal. Now reboot,and run hijackthis again and post a fresh log along with the about buster log Regards, Trevuren.
  2. Hi jatt7846, I just returned and noticed that we are still where we were before I left. Inasmuch as it has been 4 days since your last post , I would like you to post a fresh HJT log so we can continue and try to find a cure for your problem. Regards, Trevuren
  3. Hi jatt7846, Well we were right. It is a stinker to remove but it can be removed. . I am going to ask you to go to the Kaspersky site CLICK HERE and have your system undergo their beta online virus scanner. . Let it run its course. . It will want to Reboot the system, let it. . After it has finished, post a fresh log into this thread and we should be able to clean everything up. I will be away as of tomorrow morning to attend my son's graduation so don't be surprised if one of my friends and mentors here finishes for me. You will be in the best of hands. It has been a pleasure working with you. Regards, Trevuren
  4. Hi jatt7846, Hi victim, 1. Download AppInit_DLLs Fix. Unzip the contents of appinitfix.zip to a convenient location. Double-click on appinitfix.reg. When it asks you to merge the information to the registry click "Yes". 2. Now you must do a thorough scan with Ad-Aware SE. 3. Now do a complete scan with Ad-Aware SE and post a new HJT log for review. 4Reboot 5. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren
  5. Excellent jatt7846, 1. Download AboutBuster. [*]Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created. [*]Navigate to the AboutBuster directory and double-click on AboutBuster.exe. [*]Click "OK" at the prompt with instructions. [*]Click "Update" and then "Check For Update" to begin the update process. [*]If any updates exist please download them by clicking "Download Update" 2. Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply. 3. Scan with HJT, place a check mark beside the following item and click Fix checked:: O20 - AppInit_DLLs: piy60wsx4j6.dll Exit the program and BOOT into Safe Mode, search for and DELETE the following file, if present: piy60wsx4j6.dll Regards, Trevuren
  6. Hi jatt7846, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Download Killbox (version 2.0.0.76) here: http://www.downloads.subratam.org/KillBox.exe and put it on your desktop Open Killbox Check the following boxes: Standard File Kill End Explorer Shell While Killing file Copy & paste the full path of each of the files below into the Killbox topmost box. C:\WINDOWS\SYSTEM32\bridge.dll C:\WINDOWS\SYSTEM32\cdimgdev.dll C:\WINDOWS\SYSTEM32\d2kpax.dll C:\WINDOWS\SYSTEM32\jac.dll C:\WINDOWS\SYSTEM32\msasmc18.dll C:\WINDOWS\SYSTEM32\msxslab.dll fl52jcuo94ouri.dll C:\WINDOWS\System32\W8C6S4~2.DLL With the full path to the file name in the topmost textbox, Click the Red X ...and for the confirmation message that will appear, you will need to click Yes Do this for each of the files listed. Some will not be deleted. Make sure you keep a list of them. When you are through the list, use killbox to delete the files you were not able to delete as follows: Open Killbox Check the following boxes: Delete on Reboot With the full path to the file name in the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet) Click yes on the last file. Note: Killbox will let you know if the file does not exist. After the reboot scan with hijackthis and fix the following if they are still listed R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~2.DLL O20 - AppInit_DLLs: fl52jcuo94ouri.dllReboot and Post a new hijackthis log Regards, Trevuren
  7. Hi jatt7846, Well, apparently, we have one that is super hiding on us. Let's go here: 1. Download the program "DLL COMPARE" to your Desktop from HERE 2. Click the program "ICON", then click "RUN" in the window that appeared. 3. Click "Locate.com" (A Notepad log appears on your desktop). 4. Click "COMPARE" in the lower part of the Dll Compare window. 5. When the program has finished, click "Make a Log of What Was Found". 6. POST this log into this thread for review Regards, Trevuren
  8. Hi jatt7846, That log looks much better. I am not worried about the 020 at present. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Now let's do some work on your log: First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) *choose to "show hidden files and folders," *uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. *Close the window with ok *All hidden files will now be visible Close all browser windows and RUN HijackThis. . Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 O15 - Trusted Zone: http://ny.contentmatch.net (HKLM) O20 - AppInit_DLLs: piy60wsx4j6.dll Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode *Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. Using Windows Explorer, locate the following file and DELETE it (if present): piy60wsx4j6.dll Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now. Regards, Trevuren
  9. HI jatt7846, Try this, It is important that all hidden files be showing before we are able to clean up your computer. *Please download xphidden.zip to your desktop. *Double click on the XPHidden.zip to open the file *then double click on xphidden.reg to add the information to your registry. *This will cause all super-hidden files and protected system files to be visible. Regards, Trevuren
  10. Hi jatt7846, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Before we start, we need to turn off Win Patrol by doing the following: Right click the running icon of winpatrol, and choose exit. 1. Download HOSTER HERE and unzip it. 2. Download CCleaner HERE and install it. 3. Open a Notepad file and copy all the following script in bold into this Notepad file: REGEDIT4 [-HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}] [-HKEY_CLASSES_ROOT\Plugin6.DNSErrObj] [-HKEY_CLASSES_ROOT\redalert.here] [-HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}] Close the file, name it CWS_Swapx.reg and save it to your desktop. A little cube should appear on your desktop with that name. Don't use it until so instructed. 4. Now let's do some work on your log: First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) *choose to "show hidden files and folders," *uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. *Close the window with ok *All hidden files will now be visible Close all browser windows and RUN HijackThis. . Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\C9I5E7~1.DLL O20 - AppInit_DLLs: hnzul65nenpkgt.dll Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window. 5. Run Hoster * Click "Restore Original Hosts" and click "OK" * Exit 6. Run CCleaner - Please Check the following: Under Internet Explorer: * Temporary Internet Files * History * Recently Typed URLs * Delete Index.dat files Under System: * Empty Recycle Bin * Temporary Files * Memory Dumps * Chkdsk File Fragments * Old Prefetch Data -Click the "Options" button (top right) and then click the "Settings" tab. * Uncheck: "Only delete files older than 48 hrs." and click OK 7. Double click on the CWS_SWAPX.reg file located on your desktop and when asked if you would like to merge this information, click YES 8. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode *Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. Using Windows Explorer, locate the following files and DELETE them (if they are present): C:\WINDOWS\System32\C9I5E7~1.DLL hnzul65nenpkgt.dll Exit Explorer, and REBOOT BACK INTO NORMAL MODE 9. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren
  11. Hi jatt7846, You are doing a heck of a good job. For your Trojan scan, use this Online Trojan Scan. Once you are finished, if you decide to not buy Trojan Hunter, just uninstall it through ADD/REMOVE programs in your Control Panel. Regards, Trevuren
  12. Hi jatt7846, Well now we can put a name to it. Your infection is CWS_Swapx. I want to try a method that was successfull on another case. It is composed of 3 parts. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1. Download CWShredder (the stand alone version is free). Run the program and click Check for Update. Make sure that all browser windows are closed with the exception of CWShredder and choose FIX. Here is the link: CWS Shredder REBOOT YOUR SYSTEM 2. I want you to run both of the following FREE online antivirus scanners, making sure that you choose to do a "complete scan" and letting the program fix everything it finds. It is also necessary to REBOOT your system after running each program. TrendMicro Free Virus Scanner and Panda Software Online Virus Scanner. 3. Download and run a free trial version of an anti-trojan program called Trojan Hunter: Trojan Hunter . Let it scan your whole system and remove anything it finds. REBOOT your system. 4. Download, Install, and Run Ad-Aware SE 1.05, keeping the default options. However, some of the settings will need to be changed before your first scan .Close ALL windows except Ad-Aware SE . Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware. . Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window A. In the ‘General’ window make sure the following are selected in green: *Automatically save log-file *Automatically quarantine objects prior to removal *Safe Mode (always request confirmation) Under Definitions: *Prompt to udate outdated definitions - set the number of days B. Click on the ‘Scanning’ button on the left and select in green : Under Driver, Folders & Files: *Scan Within Archives Under Select drives & folders to scan - *choose all hard drives Under Memory & Registry: all green *Scan Active Processes *Scan Registry *Deep Scan Registry *Scan my IE favorites for banned URL’s *Scan my Hosts file C. Click on the ‘Advanced’ button on the left and select in green: Under Shell Integration: *Move deleted files to recycle bin Under Logfile Detail Level: (all green) *include addtional object information *DESELECT - include negligible objects information *include environment information Under Alternate Data Streams: *Don't log streams smaller than 0 bytes *Don't log ADS with the following names: CA_INOCULATEIT D. Click the ‘Tweak’ button and select in green: Under the ‘Scanning Engine’: *Unload recognized processes during scanning *Scan registry for all users instead of current user only Under the ‘Cleaning Engine’: *Let Windows remove files in use at next reboot Under the Log Files: *Include basic Ad-aware SE settings in logfile *Include additional Ad-aware SE settings in logfile *Please do not check or make green: Include Module list in logfile E. Click on ‘Proceed’ to save the settings. F. Click ‘Start’ *Choose:'Perform Full System Scan' *DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. G. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. H. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window. I. Save the log file when it asks and then click ‘finish’. J. REBOOT to complete the removal of what Ad-Aware SE found 5. Download, Install, and Run Spybot S&D, accepting the Default Settings A. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it. B. Close ALL windows except Spybot S&D C. Click the button to ‘Search for Updates’ then download and install the Updates. D. Next click the button ‘Check for Problems’ E. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window F. Make certain there is a check mark beside all of the RED entries ONLY. G. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries. H. REBOOT to complete the scan and clear memory. 6. Run HijackThis with all windows closed excepr for HijackThis, click SCAN, produce a log and Post it back into this thread. DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER Regards, Trevuren
  13. Excellent jatt7846, I would like you to run the other one too. Thanks, Trevuren
  14. Hi jatt7846, We have decided to bring in the cavalry on this one 1. Download the program "DLL COMPARE" to your Desktop from HERE 2. Click the program ICON, then RUN in the window that appeared. 3. Click Locate.com (A Notepad log appears on your desktop). 4. Click COMPARE in the lower part of the Dll Compare window. 5. When the program has finished, click Make a Log of What Was Found. 6. POST this log into this thread for review. Regards, Trevuren
  15. Hi jatt7846, 1. Open Notepad 2. Copy this text : dir C:\WINDOWS\System32\*.dll.dll > BadDLL.txt notepad BadDLL.txt from here into the open Notepad file. 3. Close the Notepad file and name it : FindDll.bat (We have now created a program to find a file) 4. Now click on this program that we just made called FindDll.bat. Another Notepad file will open with some text in it. It is this text that I want you to post back here for review. Trevuren
  16. Hi jatt7846, Apparently, our traditional methods of dealing with your infection don't seem to be having any effect. Today I will do another HJT complete fix to clear out as much as I can then I will get you to run a little program so we can find out what is going on. The order in which we will be doing these procedures will be reversed. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1. Launch Notepad, and copy/paste the box below into a new text file. Save it as FindDLL.bat and save it on your Desktop. dir C:\WINDOWS\System32\*.dll.dll > BadDLL.txt notepad BadDLL.txt Locate FindDLL.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here with your new HJT log. 2. You have WinPatrol running on your system. It is a good program but must be disabled while we do our HJT fix because it could stop some of the changes from taking effect. Right click the running icon of winpatrol, and choose exit 3. Now let's do some work on your log: First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) *choose to "show hidden files and folders," *uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. *Close the window with ok *All hidden files will now be visible Close all browser windows and RUN HijackThis. . Click the SCAN button to produce a log. . Click the Config button located in the lower right hand corner of the HijackThis window. . When the new screen opens, find and click the Miscellaneous Tools button. . Then choose the Open Process Manager button. . From the list of processes, hilight the following items by clicking them, ONE AT A TIME, then DELETE them by clicking the KILL button: C:\WINDOWS\System32\1myr3zy980ybthd.exe C:\WINDOWS\System32\h9skp63xcw12thd.exe Once all items have been KILLED, click the Back button which will return you to the HijackThis main window. Now place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\G9RVIW~1.DLL O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\1myr3zy980ybthd.exe O4 - Startup: winupdate78549030[1].exe O20 - AppInit_DLLs: piy60wsx4j6.dll Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode *Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. Using Windows Explorer, locate the following files and DELETE them (if they are present) C:\WINDOWS\System32\1myr3zy980ybthd.exe C:\WINDOWS\System32\h9skp63xcw12thd.exe C:\WINDOWS\System32\G9RVIW~1.DLL winupdate78549030[1].exe piy60wsx4j6.dll Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now. Regards, Trevuren
  17. Hi jatt7846, 1. I want you to download CWShredder (the stand alone version is free). Run the program and click Check for Update. Make sure that all browser windows are closed with the exception of CWShredder and choose FIX. Here is the link: CWS Shredder REBOOT YOUR SYSTEM 2. We will re-run the previous fix Double-click on appinitfix.reg. When it asks you to merge the information to the registry click "Yes". 3. Now do a complete scan with Ad-Aware SE and post a new HJT log for review. Regards, Trevuren
  18. Hi jatt7846, Sorry for the non-reply. I must have deleted your email by mistake. Download AppInit_DLLs Fix. Unzip the contents of appinitfix.zip to a convenient location. Double-click on appinitfix.reg. When it asks you to merge the information to the registry click "Yes". Now do a complete scan with Ad-Aware SE and post a new HJT log for review. Regards, Trevuren
  19. Hi jatt7846, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Before doing any fixes, we must turn off certain programs that could interfere with malware removal: 1. To disable SpySweeper: Open it click >Options over to the left then >program options >Uncheck "load at windows startup". Over to the left click "shields" and uncheck all there. Uncheck "home page shield". Uncheck 'automaticly restore default without notifiction 2. To disable WinPatrol Right click the running icon of winpatrol, and choose exit Now let's do some work on your log: First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) *choose to "show hidden files and folders," *uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. *Close the window with ok *All hidden files will now be visible Close all browser windows and RUN HijackThis. . Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31631 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31631 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31631 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31631 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31631 N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js) O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\H7U1CS~1.DLL O20 - AppInit_DLLs: piy60wsx4j6.dll Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode *Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. Using Windows Explorer, locate the following files, and DELETE them (if they are present): C:\WINDOWS\System32\H7U1CS~1.DLL piy60wsx4j6.dll C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\6s5i5rw9.slt\prefs.js) Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now. Regards, Trevuren
  20. Hi jatt7846, You have caught a few new fish here. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1. Download "service Filter" from : HERE to your Desktop. 2 . Now open Service Filter by clicking on its icon. . Then click OK and OK again when prompted. . A Wordpad text will appear on your desktop. Scroll down the list of services until you find the service containing the name: mserv.exe (anem) - Unknown owner - C:\WINDOWS\mserv.exe. For the 023 involved, carefully write down the name that appears beside the label "Service Name". This name will be required in the next step. . Close the program when finished. ---------------------------- 3. Now we need to work from the Command Prompt Go Start>>Programs>>Accessories>>Command Prompt . A black box will appear with a flashing cursor. At the cursor, type cd.. then cd.. again and repeat the procedure until the writing preceeding the cursor says C:\> . Now carefully type the following: sc delete "servicename", where the word servicename is replaced by the real service name, probably anem that you have written down. Press ENTER. .Close the Command Prompt box. ------------------------------------------ 4. Download AppInit_DLLs Fix. Unzip the contents of appinitfix.zip to a convenient location. Double-click on appinitfix.reg. When it asks you to merge the information to the registry click "Yes". 5. Now do a complete scan with Ad-Aware SE and let it remove all it finds. 6. Reboot your system into Safe Mode 7. Using Windows Explorer, DELETE the following files, if they are present: C:\WINDOWS\mserv.exe cv9319k4d4h6ox7.dll.dll.dll.dll 8. REBOOT back into Normal Mode 9. Finally, run HijackThis and with all windows closed except for HJT, click SCAN, produce a LOG and POST it in this thread for review. There are more entries to fix. Regards, Trevuren
  21. Hi coggley, Reformatting your hard drive is always an option to consider but it is very labor intensive and if you can't do it yourself it can be costly. Do you have anyone that is a bit more used to working with computers that could help you through this? What service name did you find for the entry with all the squiggly writing? It would have said "Service Name"=....... Please respond before you give up. Regards, Trevuren
  22. Hi coggley, Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. We are now at the point where we have some very touchy work to do. Take your time and be as precise as possible. I will try and provide you with the clearest directions possible. 1) Download "service Filter" from : HERE to your Desktop so you can find it easily later. Do not use it now. 2) Open HijackThis, run a SCAN, Scroll down the list of entries until you reach the 023 entries. Here I need you to find the following entries: O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing) O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\msgy32.exe (file missing) O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe Write down on a piece of paper all the particulars of each entry. You will need this information later. Close HijackThis. --------------------------------- 3. Now open Service Filter by clicking on its icon. . Then click OK and OK again when prompted. . A Wordpad text will appear on your desktop. Scroll down the list of services until you find the services containing the names you wrote down during the preceding procedure. . For each 023 involved, carefully write down the name that appears beside the label "Service Name". These names will be required in the next step. . Close the program when finished. ---------------------------- 4. Now we need to work from the Command Prompt Go Start>>Programs>>Accessories>>Command Prompt . A black box will appear with a flashing cursor. At the cursor, type cd.. then cd.. again and repeat the procedure until the writing preceeding the cursor says C:\> . Now carefully type the following: sc delete servicename, where servicename is replaced by one of the real service names that you have written down. Press ENTER. . Repeat the same procedure using the second, then the third service name this time. Press ENTER. .Close the Command Prompt box. ------------------------------------------ Now to stuff we are more familiar with: Now let's do some work on your log: First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) *choose to "show hidden files and folders," *uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. *Close the window with ok *All hidden files will now be visible Close all browser windows and RUN HijackThis. . Click the SCAN button to produce a log. . Click the Config button located in the lower right hand corner of the HijackThis window. . When the new screen opens, find and click the Miscellaneous Tools button. . Then choose the Open Process Manager button. . From the list of processes, hilight the following items by clicking them, ONE AT A TIME, then DELETE them by clicking the KILL button: C:\WINDOWS\System32\UAService7.exe Once all items have been KILLED, click the Back button which will return you to the HijackThis main window. Now place a check mark beside each one of the following items: O4 - HKLM\..\RunServices: [systemTools] C:\WINDOWS\System32\kernels32.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c8.cab O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/e422b003/enter.cab O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing) O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\msgy32.exe (file missing) Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode *Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. Using Windows Explorer, locate the following files and delete them (if they are present): C:\WINDOWS\System32\kernels32.exe C:\WINDOWS\System32\angelex.exe C:\WINDOWS\System32\UAService7.exe C:\WINDOWS\system32\msgy32.exe Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally,RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now. Regards, Trevuren
  23. Hi coggley, We still haven't reset your default web settings or put HJT in its own folder. We will have to do this over and over until we get it right. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. 1) We need a start page and a Search Page, both of which are missing from your log so let's go get them back. Open Internet Explorer>>Tools>>Reset Web Settings. Place a checkmark in the box and click YES. Exit Internet Explorer and REBOOT your system. 2) You are STILL running HJT from a Temp folder. Follow these directions: Download the most current version of Hijackthis (v.1.99.1)to a folder of its own. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process! A. Please go to your 'My Documents' folder, right-click and select 'New > Folder' and name the folder 'HijackThis'. B. Download Hijackthis from:HERE C. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder. D. Close ALL windows except HJT E. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy') F. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste') DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER 3. I see that you are still running warez P2P which is the main reason why you are getting all this junk on your system. I can't force you to keep it off your computer but I can insist that you uninstall it for as long as I am trying to fix your problems. Go to ADD/Remove programs in your control panel and UNINSTALL warez P2P. 4. Once you have done all this correctly, please post a fresh log for review and further instructions. Regards, Trevuren
  24. Hi coggley, Go to that first link for Deldomains in blue and left click on it. A box will appear asking you what you want to do with it Click on SAVE Save file to Desktop Then Right click on file and a box appears: Choose INSTALL If this works, then provide me with a fresh log. If it doesn't, shoot me. JUST KIDDING. We will try and do it manually Regards, Trevuren
  25. Hi coggley, I just tried the link I gave you and downloaded the program easily. Please tell me what happens when you click on that DelDomains2002 link in my previous post? I don't understand what is happening either. Trevuren
×
×
  • Create New...