Jump to content

yellowhammer

Trusted Malware Techs
  • Content Count

    115
  • Joined

  • Last visited

About yellowhammer

  • Rank
    Member
  • Birthday 05/05/1955

Contact Methods

  • Website URL
    http://www.ralphcaddell.com/pchelp
  • ICQ
    0

Profile Information

  • Location
    Alabama

Previous Fields

  • Teams:
    Nothing Selected

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Your Welcome, You may delete all the files you downloaded. They should not be needed anymore. Some tips to keep your computer secure: 1. Keep Windows Updated via the windows update site. Better yet, set it up to automatically update. Instructions here 2. Keep a good antivirus system updated and running at all times. I use NOD32 available here. If you want a good free antivirus try AVG which is available here. 3. Keep a firewall running at all times. I recommend Sygate Personal Available here. 4. Set up your internet explorer security properly. See instructions here. 5. Use Adaware and Spybot S&D weekly after updating. 6. Use SpywareBlaster, SpywareGuard, IE-Spyad. Links to all of these on my site here. 7. Replace your host file with the one available here. 8. Run BugOff available here which disables three exploits that are commonly used by browser hijackers (including CWS), thus protecting you from infection. 9. Switch Browsers. Try Firefox available here or Opera available here.
  2. Sygate should not slow down your computer. Right click on it and exit and see if it speeds back up. If it does, then it is sygate related. If not, it is something else.
  3. Housecall should be able to delete them. If not, get the names and delete them manually. Sygate does not appear to by running based on your last log. Try uninstalling and reinstalling it now that the trojan is gone.
  4. Post a hijackthis log and I can tell if it is running. It normally shows in the system tray as a couple of up/down arrows.
  5. Earlier you were asked to check for the file KTD32.ATM and said you found it. See if you can delete it. If Norton is scanning emails at boot up then something is sending out the email. That is a good piece of information. Why don't you download Sygate Personal Firewall and install it as it does not look like you have a firewall installed. After a reboot it will be enabled. At that point it will start monitoring programs accessing the internet. Right click on it in the system tray and select "applications" and then remove all. That will force it to ask permission for each program that tries to access the net. You will get a pop up message asking for permission for a program to access the net. If an email is being sent, it will identify the program that is trying to send it. Get that information and post back. Get the firewall here: http://www.tucows.com/preview/213160.html
  6. Something is obviously protecting C:\windows\services. I have a couple more suggestions. First, repeat the last set of instructions. But them in safe mode. Let's see where that gets us. After that I have one more idea.
  7. 7. If you were successful in killing the C:\windows\services process, browse to and delete file C:\WINDOWS\services.exe If that is succesfull go to step 9. If not, do step 8. 8. Open killbox that you downloaded in the first step. Make sure the following are checked Delete on Reboot End Explorer Shell While Killing File Then type the full path to the following files in the killbox address bar: C:\WINDOWS\services.exe Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click Yes and allow it to reboot. 9. Reboot, Scan and post another log after the reboot.
  8. Kill the one that has just services.exe. The one in the system32 folder is legitimate.
  9. 1. Download Pocket kill box here Unzip the folder to your desktop. 2. Copy the information in the quote box to notepad. Save it to your desktop as type "all files" and name it pro.reg (note it is the same as you previously did so you don't have to recreate it if you still have it.) 3. Download process explorer here and unzip it. 4. Disconnect from the internet, and make sure Norton Antivirus realtime protection is not running. (Right click on it in system tray and disable). 5. Open process explorer. The top pane will show the processes that are running. Look through the list for services.exe. There will be two running. Place your mouse pointer over both of them and find the one that is in C:\Windows. When you find it, rightclick on it and select kill process tree. If you get any messages about it being a system file etc, ignore them and kill it. 6. Doubleclick the pro.reg file you created and grant it permission to merge the registry entries. 7. If you were successful in killing the C:\windows\services process, browse to and delete file C:\WINDOWS\services.exe If that is succesfull go to step 9. If not, do step 8. 8. Open killbox that you downloaded in the first step. Make sure the following are checked Delete on Reboot End Explorer Shell While Killing File Then type the full path to the following files in the killbox address bar: C:\WINDOWS\services.exe Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click Yes and allow it to reboot. 9. Reboot, Scan and post another log after the reboot.
  10. Yes but we made progress the last time as the O20 entry is gone. I think we are close now. 1. First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL 2. Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg. Save it to your desktop and do not run it yet. 3. Disconnect from the internet and stay disconnected until you are through with these instructions. 4. Double click on the search.reg file and grant it permission to add the registry entries. 5. Open killbox Make sure the following are checked Delete on Reboot Then type the full path to the following files in the killbox address bar: C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above) 6. After the reboot scan with hijackthis and fix all the following entries. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL Reboot and post another log.
  11. Still there. Here are about 3 other things that may get us some more information. 1 Download Service Filter from here or here and unzip it. Follow the instructions that will be unzipped in the folder. Post the contents from the POST_THIS.TXT file that is generated. 2. Download the Registry Search Tool here. Unzip it and run it. If your antivirus inteferes you may have to disable script blocking in the antivirus. Put the following in the search box: services.exe Post the results. 3. Download autoruns here. Open it and click on view at the top menu and make sure all the following are checked. Show All Locations Show Services Then click the save button and save the .txt file generated. Copy and paste the contents of it into the next reply.
  12. OK, Lets try another method. Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm save it to your desktop you'll need it later. Close all Internet explorers and folders also. Now run the APM program In the upper window select C:\WINNT\explorer.exe In the lower window find and rightclick this file C:\WINNT\System32\W8C6S4~1.DLL Select Unload DLL and click OK on the prompts that follow. Do the same for fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll or whatever file is currently listed in the O20 line Run Hijackthis and fix these R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O20 - AppInit_DLLs: fvusbwmn2558v4l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll ====================== Run Cwshredder again Scan and post another log.
  13. Copy the information in the quote box to notepad. Save it to your desktop as type "all files" and name it pro.reg Then doubleclick it and grant it permission to merge the registry entries. Then reboot and post another log.
  14. 1. First look in your C:\WINNT\System32 folder and get the full name for the following file W8C6S4~1.DLL 2. Download the latest version of AVG antivirus here and install it. Disable your existing antivirus temporarily and have AVG do a full scan. Have it remove everything it finds. 3. Download cwshredder here and unzip it to your desktop. Don't run it yet. 4. Reboot to safe mode. 5. Run cwshredder. Close all browser windows and click on the fix/next button. 6. Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it search.reg. Double click on the search.reg file and grant it permission to add the registry entries. 7. Open killbox Make sure the following are checked Delete on Reboot End Explorer Shell While Killing File Unregister .dll Before Deleting Then type the full path to the following files in the killbox address bar: C:\WINNT\System32\W8C6S4~1.DLL (Note - Use the full name you got in the first step above) and C:\WINNT\System32\hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Click the Delete on Reboot button. Then press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, Click No until you have pasted the path to the last file. On the last file Click Yes and allow it to reboot. 8. After the reboot, scan with hijackthis and fix all the following entries. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31403 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31403 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31403 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=31403 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31403 O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINNT\System32\W8C6S4~1.DLL O15 - Trusted Zone: *.greg-search.com O20 - AppInit_DLLs: hhvhynt2felvrel.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll Reboot and post another log.
×
×
  • Create New...