Jump to content

Trevuren

Trusted Malware Techs
  • Content Count

    246
  • Joined

  • Last visited

Everything posted by Trevuren

  1. Trevuren

    Help please w/ "Virus Burst" virus!

    My Pleasure, Trevuren
  2. Trevuren

    Help please w/ "Virus Burst" virus!

    There isn't really anything that we touched that should have had that effect on Firefox. Have you tried re installing Firefox? Trevuren
  3. Trevuren

    Help please w/ "Virus Burst" virus!

    Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Please DELETE Malicious Items from the Ewido v4 Quarantine A. Open Ewido by double clicking its icon located in the System Tray down by the clock. B. Click on "Infections" on the Ewido Toolbar, then select the "Quarantine Tab" C. Choose "Select All" at the bottom of the Ewido window, then click on the "Remove Finally" button and EXIT the program. 2. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  4. Trevuren

    Help please w/ "Virus Burst" virus!

    A. The newer version of Spybot can be downloaded using the following site: http://www.safer-networking.org/en/mirrors/index.html B. Please disable AVG AntiSpyware by opening the program and on the Status page - beside "Resident Shield" click on "change status" so that it says "inactive" for it may interfere with our HJT fix. Remember to reactivate this feature when all our work is finished.C. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file) O2 - BHO: (no name) - {ae18da4e-be15-4925-81bb-890c04af0200} - (no file) O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - (no file) O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} - O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) - O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} (Java Plug-in 1.4.2_07) - O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) - O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.5.0_02) - O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) - O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) - O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - O20 - Winlogon Notify: NavLogon - C:\WINDOWS\ Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using the Add/Remove Programs module in your Control Panel, please UNINSTALL the following program(s). These programs are either malware or come bundled with malware or they are foistware, i-e programs that are usually installed without the user's consent. Viewpoint See the following if you want a more in-depth explanation: http://www.bleepingcomputer.com/uninstall/all.html and/or http://www.spywarewarrior.com/rogue_anti-s...re.htm#products Using Windows Explorer (Windows Key + E), locate the following folder, and DELETE it (if still present): C:\Program Files\Viewpoint<==Folder and all its content Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in this thread so we can check how everything looks now. Please also tell me how things are now running. Regards, Trevuren
  5. Trevuren

    Help please w/ "Virus Burst" virus!

    Good job Jesse Now, let's do some work on getting some current protection programs in place and getting rid of another program that is not recommended to have on your system: A. Microsoft Antispyware should be UNINSTALLED Microsoft no longer supports Microsoft Antispyware; it has now upgraded to Windows Defender, which you can also download, if you wish, from the Microsoft site Here B. I see that you are still running Spybot Search & Destroy version 1.3. This version is way out of date and it is highly recommended that you uninstall it and replace it with version 1.4. C. I would like you to UNINSTALL Viewpoint Media Player. An in-depth explanation for my recommendation can be found at one of the following locations. You may want to bookmark these sites are they are a good guide as to what to NOT have on your system: http://www.bleepingcomputer.com/uninstall/all.html and/or http://www.spywarewarrior.com/rogue_anti-s...re.htm#products D. Finally, I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following: Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program. If it asks to reboot, do not reboot. Now please create a new Hijackthis Log and post it as a reply. Take heart, we are nearly finished. Trevuren
  6. Trevuren

    Help please w/ "Virus Burst" virus!

    A. Please provide me with the content of the AVG AntiSpyware log as previously requsted. B. You need to update the version of Java that is currently on your system Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 from HERE Scroll down to where it says "Windows Offline Installation" Click the "Download" button to the right. Once the program has finished downloading: Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. Go back into the Control Panel and double-click the Java Icon.Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded AppletsDownloaded Applications Other Files Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. C. After the above is done, please provide me with an updated HJT log which will reflect these changes and then can continue the cleanup. Regards, Trevuren
  7. Trevuren

    Help please w/ "Virus Burst" virus!

    A. I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program. B. Please print out or copy these instructions/tutorial to Notepad as the internet will not be available to you at certain points of the removal process (while in Safe Mode). Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. 1. Download and update AVG AntiSpyware 7.5. First download AVG AntiSpyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded AVG AntiSpyware, locate the icon on the desktop and double-click it to launch the set up program. Once the setup is complete, run AVG AntiSpyware and update the definition files. On the main screen select the icon "Update" then select the "Update now" link.Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports"Select "Automatically generate report after every scan" Un-Select "Only if threats were found" Close AVG AntiSpyware, Do Not run a scan just yet 2. Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. 3. Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. 4. Clean out your Temporary Internet files. Proceed as follows: Quit Internet Explorer and quit any instances of Windows Explorer. Click Start, click Control Panel, and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. 5. Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. 6. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. 7. Launch AVG AntiSpyware by double-clicking the icon on your desktop. Note: IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". ewido will now begin the scanning process, be patient this may take a little time.Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Next select the "Reports" icon at the top. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). 8. Close AVG AntiSpyware and Reboot back into Normal Windows Mode 9. Run SmitfraudFix. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer YES to the question "Restore Trusted Zone?" by Typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. 10. Please Post the following logs: c:\rapport.txt AVG AntiSpyware log A new HijackThis log Your may need several replies to post the requested logs, otherwise they might get cut off. Regards, Trevuren
  8. Trevuren

    Help please w/ "Virus Burst" virus!

    There will be a lot of work for you to do as many of your protection programs are not current but first, please delete your current version of SmitfraudFix as you are using an older version of the tool which doesn't cover all of the infection as I see it. Then, Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Regards, Trevuren
  9. Trevuren

    Help please w/ "Virus Burst" virus!

    Hi messyjesse and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. Please post all three logs that you have run if they are relatively current. Post them in any order you wish and it will be just fine. Regards, Trevuren
  10. Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  11. A. We now suspect that a system is more prone to a Vundo infection when the Java application has not been updated: Please update your Java and Clear the Java Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. It will say "Java Plug-in" under the icon.Please find the update button or tab in the Java Control Panel. Update your Java then reboot. If you are unable to update you can manually update by going here:http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded AppletsDownloaded Applications Other Files Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. Now, using the Add/Remove Programs feature in your Control Panel, please UNINSTALL the following: Java version is 1.4.2.3 B. Please Disable Spyware Doctor 1. From within Spyware Doctor, click the "OnGuard" button on the left side. 2. Uncheck "Activate OnGuard" C. Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file) O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing) O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - blank (file missing) O16 - DPF: {0E4796D6-A990-4372-9069-72FBDB4AE868} - http://www.one2one.com/static/class/one2oneSvc.cab O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162 O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of. Regards, Trevuren
  12. Hi Andy, 1. Please update your Ewido definitions 2. Boot into Safe Mode How to use the F8 method to Start Your Computer in Safe Mode*Restart the computer. *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. *Use the arrow keys to select the Safe mode menu item *press Enter. 3. Run Ewido in Safe Mode. Please keep the log 4. Reboot into Normal Windows Mode 5. Please post a fresh HJT log along with the Ewido.txt log Regards, Trevuren
  13. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Put a check next to Run VundoFix as a task. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK When VundoFix re-opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Regards, Trevuren
  14. Hi andyj46 and welcome to the PC Pitstop Forums. My name is Trevuren and I will be helping you with your log. I need to get you to move HijackThis to a folder of its own so that nothing gets deleted by mistake 1. Right click in an empty space on your desktop. 2. From the Menu, click New, then Folder and a folder will appear on your desktop. 3. Name the folder HJT 4. Cut/Paste your current version of HijackThis into the new Folder that was just created. 5. Now, run the program and post a fresh HJT log for review. Regards, Trevuren
  15. Trevuren

    Last Stop before reinstall

    Our Pleasure, Trevuren
  16. Trevuren

    Last Stop before reinstall

    Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Re-hide your System Files and Folders to prevent any future accidents. Reconfigure Windows XP to hide hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. 2. Please run ATF Cleaner again 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  17. Trevuren

    Last Stop before reinstall

    Please post one last HJT log for me to check and if everything is OK, we will commence our final but essential cleanup procedures. Trevuren
  18. Trevuren

    Last Stop before reinstall

    A. I have included, for your convenience, a link to a PDF on how to manage your corporate version. This should enable you to clear everything out. http://www.upenn.edu/computing/virus/docs/...61/navce76u.pdf If this is not the correct version, just Google Norton Corporate Antivirus Quarantine. B. A. Please download the Killbox by Option^Explicit. Note:In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select "Delete on Reboot Then click the "All Files" button. Please copy the file path(s) below to the clipboard by highlighting ALL of them and pressing CTRL + C C:\w.exe C:\WINDOWS\system32\drsmartload482a.exe C:\WINDOWS\system32\Win3.exe C:\WINDOWS\YazzleBundle-1119.exe Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually. B. Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. C. After all this is done, please tell me if everything appears to be OK so we can finish up. Regards, Trevuren
  19. Trevuren

    Last Stop before reinstall

    Things are looking up!!! As a precautionary measure, please run the following online scan and post the results along with a fresh HJT log. If everything is OK, we will be able to start our final cleanup procedures: Please do an online scan with Kaspersky Online Virus Scanner Next Click on Free Virus Scanner, then Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected:Scan using the following Anti-Virus database:Standard Scan Options:Scan ArchivesScan Mail Bases Click OK Now under select a target to scan:Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information into your next post. Regards Trevuren
  20. Trevuren

    Last Stop before reinstall

    A. Please run the following program: Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As": DelDomains.inf to your Desktophttp://www.mvps.org/winhelp2002/DelDomains.inf Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Then please restart your computer, and post a new HijackThis log. Note: You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this if you were using these features before. B. Please disable Ewido Security Suite (EwidoGuard) 1. Launch Ewido 2. In the main window, click "Realtime protection" (in green indicating "Active") to change to inactive. C. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis.. Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe,jsnbryn.exe O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\system32\nsvF1.dll O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmftjs.dll O4 - HKLM\..\Run: [w0b6a022.dll] RUNDLL32.EXE w0b6a022.dll,I2 0002616d00b6a022 O4 - HKLM\..\Run: [igtkhr] C:\WINDOWS\system32\iopsht.exe reg_run O4 - HKCU\..\Run: [ecbmi] C:\WINDOWS\system32\iopsht.exe reg_run O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\kcdlt1.dll (file missing) Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present): C:\WINDOWS\system32\jsnbryn.exe C:\WINDOWS\system32\nsvF1.dll C:\WINDOWS\system32\irsmftjs.dll C:\WINDOWS\system32\w0b6a022.dll C:\WINDOWS\system32\iopsht.exe C:\WINDOWS\system32\irssyncd.exe Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. Regards, Trevuren
  21. Trevuren

    Last Stop before reinstall

    Hi 93sc and welcome to the PC Pitstop Forums . My name is Trevuren and I will be helping you with your log. You have a few more things going on here than I think you are aware of. A. I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or (2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program B. 1. Please download Ewido Anti-Malware Install ewido anti-malware Launch ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.(the status bar at the bottom will display ("Update successful") Exit Ewido, do not run the scan yet! If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updates 2. Please download Brute Force Uninstaller to your desktop. Right click the BFU folder on your desktop, and choose Extract All Click "Next" In the box to choose where to extract the files to, Click "Browse" Click on the + sign next to "My Computer" Click on "Local Disk (C:) or whatever your primary drive is Click "Make New Folder" Type in BFU Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". 3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.Save it in the same folder you made earlier (c:\BFU). Do not do anything with these yet! Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter. 4. Once in Safe Mode, Open Ewido: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close ewido anti-malware. 5. Then, please go to Start > My Computer and navigate to the C:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.) Wait for the complete script execution box to pop up and press OK. Press exit to terminate the BFU program. Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. Regards, Trevuren
  22. Trevuren

    Trojan removal i have tried everything

    It wouldn't hurt to change your passwords. In any event, they all should be changed on a regular basis. My Pleasure, Trevuren
  23. Trevuren

    Trojan removal i have tried everything

    It wouldn't hurt to change your passwords. In any event, they all should be changed on a regular basis. My Pleasure, Trevuren
  24. Trevuren

    Trojan removal i have tried everything

    Congratulations, your log shows that your SYSTEM IS CLEAN There are a few things you must do once you are completely clean: 1. Re-hide your System Files and Folders to prevent any future accidents. Reconfigure Windows XP to hide hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. 2. Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browserClick Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browserClick Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. 3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" Reboot your System TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" Here are some tips to reduce the potential for spyware infection in the future: Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open. I strongly recommend installing the following applications: Spywareblaster <= SpywareBlaster will prevent spyware from being installed. Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts. How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware. How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware. To protect yourself further: Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer Google Toolbar <= Get the free google toolbar to help stop pop up windows. And also see TonyKlein's good advice So how did I get infected in the first place? (My Favorite) Regards, Trevuren
  25. Trevuren

    Trojan removal i have tried everything

    Please post a fresh HJT log for review Trevuren
×