Jump to content

Trevuren

Trusted Malware Techs
  • Content Count

    246
  • Joined

  • Last visited

About Trevuren

  • Rank
    Member

Contact Methods

  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Ottawa, Canada

Previous Fields

  • Teams:
    Nothing Selected
  1. There isn't really anything that we touched that should have had that effect on Firefox. Have you tried re installing Firefox? Trevuren
  2. Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Please DELETE Malicious Items from the Ewido v4 Quarantine A. Open Ewido by double clicking its icon located in the System Tray down by the clock. B. Click on "Infections" on the Ewido Toolbar, then select the "Quarantine Tab" C. Choose "Select All" at the bottom of the Ewido window, then click on the "Remove Finally" button and EXIT the program. 2. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  3. A. The newer version of Spybot can be downloaded using the following site: http://www.safer-networking.org/en/mirrors/index.html B. Please disable AVG AntiSpyware by opening the program and on the Status page - beside "Resident Shield" click on "change status" so that it says "inactive" for it may interfere with our HJT fix. Remember to reactivate this feature when all our work is finished.C. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file) O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - (no file) O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - (no file) O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} - O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) - O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} (Java Plug-in 1.4.2_07) - O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) - O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) - O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using the Add/Remove Programs module in your Control Panel, please UNINSTALL the following program(s). These programs are either malware or come bundled with malware or they are foistware, i-e programs that are usually installed without the user's consent. Viewpoint See the following if you want a more in-depth explanation: http://www.bleepingcomputer.com/uninstall/all.html and/or http://www.spywarewarrior.com/rogue_anti-s...re.htm#products Using Windows Explorer (Windows Key + E), locate the following folder, and DELETE it (if still present): C:\Program Files\Viewpoint<==Folder and all its content Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in this thread so we can check how everything looks now. Please also tell me how things are now running. Regards, Trevuren
  4. Good job Jesse Now, let's do some work on getting some current protection programs in place and getting rid of another program that is not recommended to have on your system: A. Microsoft Antispyware should be UNINSTALLED Microsoft no longer supports Microsoft Antispyware; it has now upgraded to Windows Defender, which you can also download, if you wish, from the Microsoft site Here B. I see that you are still running Spybot Search & Destroy version 1.3. This version is way out of date and it is highly recommended that you uninstall it and replace it with version 1.4. C. I would like you to UNINSTALL Viewpoint Media Player. An in-depth explanation for my recommendation can be found at one of the following locations. You may want to bookmark these sites are they are a good guide as to what to NOT have on your system: http://www.bleepingcomputer.com/uninstall/all.html and/or http://www.spywarewarrior.com/rogue_anti-s...re.htm#products D. Finally, I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following: Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot. Now please create a new Hijackthis Log and post it as a reply. Take heart, we are nearly finished. Trevuren
  5. A. Please provide me with the content of the AVG AntiSpyware log as previously requsted. B. You need to update the version of Java that is currently on your system Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 from HERE Scroll down to where it says "Windows Offline Installation" Click the "Download" button to the right. Once the program has finished downloading: Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. Go back into the Control Panel and double-click the Java Icon.Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded AppletsDownloaded Applications Other Files Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. C. After the above is done, please provide me with an updated HJT log which will reflect these changes and then can continue the cleanup. Regards, Trevuren
  6. A. I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program. B. Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. 1. Download and update AVG AntiSpyware 7.5. First download AVG AntiSpyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded AVG AntiSpyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete, run AVG AntiSpyware and update the definition files. On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports"Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close AVG AntiSpyware, Do Not run a scan just yet 2. Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. 3. Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. 4. Clean out your Temporary Internet files. Proceed as follows: Quit Internet Explorer and quit any instances of Windows Explorer. Click Start, click Control Panel, and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. 5. Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. 6. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. 7. Launch AVG AntiSpyware by double-clicking the icon on your desktop. Note: IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". ewido will now begin the scanning process, be patient this may take a little time.Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). 8. Close AVG AntiSpyware and Reboot back into Normal Windows Mode 9. Run SmitfraudFix. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer YES to the question "Restore Trusted Zone?" by Typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. 10. Please Post the following logs: c:\rapport.txt AVG AntiSpyware log A new HijackThis log Your may need several replies to post the requested logs, otherwise they might get cut off. Regards, Trevuren
  7. There will be a lot of work for you to do as many of your protection programs are not current but first, please delete your current version of SmitfraudFix as you are using an older version of the tool which doesn't cover all of the infection as I see it. Then, Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Regards, Trevuren
  8. Hi messyjesse and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. Please post all three logs that you have run if they are relatively current. Post them in any order you wish and it will be just fine. Regards, Trevuren
  9. Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  10. A. We now suspect that a system is more prone to a Vundo infection when the Java application has not been updated: Please update your Java and Clear the Java Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. It will say "Java Plug-in" under the icon.Please find the update button or tab in the Java Control Panel. Update your Java then reboot. If you are unable to update you can manually update by going here:http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded AppletsDownloaded Applications Other Files Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. Now, using the Add/Remove Programs feature in your Control Panel, please UNINSTALL the following: Java version is 1.4.2.3 B. Please Disable Spyware Doctor 1. From within Spyware Doctor, click the "OnGuard" button on the left side. 2. Uncheck "Activate OnGuard" C. Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file) O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing) O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - blank (file missing) O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162 O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of. Regards, Trevuren
  11. Hi Andy, 1. Please update your Ewido definitions 2. Boot into Safe Mode How to use the F8 method to Start Your Computer in Safe Mode*Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. 3. Run Ewido in Safe Mode. Please keep the log 4. Reboot into Normal Windows Mode 5. Please post a fresh HJT log along with the Ewido.txt log Regards, Trevuren
  12. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Regards, Trevuren
  13. Hi andyj46 and welcome to the PC Pitstop Forums. My name is Trevuren and I will be helping you with your log. I need to get you to move HijackThis to a folder of its own so that nothing gets deleted by mistake 1. Right click in an empty space on your desktop. 2. From the Menu, click New, then Folder and a folder will appear on your desktop. 3. Name the folder HJT 4. Cut/Paste your current version of HijackThis into the new Folder that was just created. 5. Now, run the program and post a fresh HJT log for review. Regards, Trevuren
×
×
  • Create New...