Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Posts posted by noahdfear


  1. Please open the Java Plug-in in the control panel and locate the version (look for an About tab), then let me know what it is.

     

    Right click My Computer and choose properties. On System Restore tab, check the box to turn off. OK out.

     

    Reboot and turn System Restore back on.

     

    Check to make sure you're using the latest versions of Spybot and SpywareBlaster, version 1.4 and 3.4 respectively. I recommend you open Spybot and click mode on the menu, then advanced. Click Immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Click Tools in the left pane, then IE Tweaks in the left pane and at least check the box to lock the hosts file.

     

    Also recommend you download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

     

    That will give you some added layers of protection against unwanted parasites.


  2. Can you highlight and copy a few lines at a time? If you can pick them out of the log, that's fine. You can also email me the log if you like.

     

    noahdfearATmsnDOTcom

     

    AT=@

    Dot= .

     

    Put PCP darkeyes in the subject line.

     

    Another thing you can try first, but it would mean running it again afterward.

     

    Download RegSeeker. Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. When done, scan again with MWAV and try posting the log.

     

    I planned to have you do this anyway, and it should remove most of those errors, making the results much smaller. It may clear up some of your error messages as well.


  3. Looks good! :)

     

    Check to make sure you're using the latest versions of Spybot and Ad-aware, version 1.4 and SE Personal respectively. I recommend you open Spybot and click mode on the menu, then advanced. Click Immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Click Tools in the left pane, then Resident. Check the box for Resident "SD Helper". Then click IE Tweaks in the left pane and at least check the box to lock the hosts file.

     

    Also recommend you download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

     

    That will give you some added layers of protection against unwanted parasites.

     

    Things running OK now?


  4. Hopefully you still have the scan window open, with the Virus Log Infomation in it, by the time you read this. :unsure:

     

    Click within the Log section to select it, then press Ctrl+A to select everything, then press Ctrl+C to copy. Open Notepad and press Ctrl+V to paste, then save it to your desktop. Now try posting, even if it's a small section at a time.


  5. Glad to hear it worked! :)

     

    The clicking you here is possibly a sound scheme, and can be changed or disabled by going into the Control Panel>Sounds and Audio Devices>Sounds Tabs (don't quote me on that, I'm not on 98 right now to check ;) ). There is a list of Windows events such as Asterisk, Default beep, Exit Windows, etc. There will be a loud speaker icon next to the ones that have a sound selected for that event. Click an event to select it, then click the play button next to the window below that shows the selected file for the event to hear the sound. You can select no sound or change the sound for any event.


  6. Part of Sun's Star Office program. Try unchecking it in msconfig and see if it helps or causes problems with the program after rebooting.

     

    O4 - HKLM\..\Run: [sO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE

     

     

    Non-essential startup items that can be fixed with HijackThis.

     

    O4 - HKLM\..\Run: [QuickTime Task] "C:\documents and settings\denise kozer\desktop\qttask.exe" -atboottime

    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\xtras\mssysmgr.exe

     

     

    Open My Computer and right click Local Disk C:, then choose properties. If Indexing is checked, uncheck it and click apply. Apply to all folders and sub-folders. Then click tools and defragment the drive.

     

    If this is a stand-alone computer (not networked), click Tools on any Windows Explorer menu, then Folder Options. Click the view tab and uncheck 'Automatically search for network folders and printers'. Click OK to close the window.

     

    Reboot and let us know if startup is better.


  7. The command window should have three icons in the top right corner just like any window. A line to minimize to the tray, a double window to make the window small or large and an X to close the window. Can you not see those? Maybe the monitor needs adjusted? Open window is larger than the screen?

     

    Just write the commands down and type them in (the 2 in bold below). Hit enter after each line.

     

    attrib -h -r -s C:\WINDOWS\SYSTEM\sockdebug.exe

     

    del C:\WINDOWS\SYSTEM\sockdebug.exe

     

     

    Notice that there is a space between the following commands, switches and filepaths.

     

    attribspace-hspace-rspace-sspaceC:\WINDOWS\SYSTEM\sockdebug.exe

     

    delspaceC:\WINDOWS\SYSTEM\sockdebug.exe


  8. Fix this entry with HijackThis.

     

    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

     

    Your log looks good otherwise. :)

     

    The word RAV in my post above is a link to the online scanner. On the RAV page, click the link where it says: To continue without subscribing click here. Allow the control to be installed, wait for the definition files to be updated, then click Scan My PC. Copy the results in the window when done (make sure to get it all) and post here.

     

    Both of the files found by NAV appear to be rogue. I'd say you're safe deleting them.

     

    The regsettings.exe file you sent was again corrupt, and empty. I'm bettin that your copy is too. I believe you're safe deleting that one also.

     

    Let's see what RAV has to report. and if all is well we can clear your System Restore points to ensure you won't put back any infections, should you need to use it in the future.

     

    Everything seem to be working OK?


  9. When did these errors begin, eg: after recent update, software installation, hardware or driver upgrade/update?

     

    Can you give us the exact error messages please?

     

    Have you noticed anything else acting up?

     

    Please download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower pane of the scanning window labled Virus Log Information and post it here. Takes quite a long time for it to finish, so be patient. ;)


  10. Copy the contents of the quote box below to a blank notepad. Make sure the formatting remains the same.

    Close it, saving to your desktop as:

     

    File name: Rem.reg

    Save As Type: All Files

    REGEDIT4

     

    [-HKEY_CURRENT_USER\Software\aurora]

    Double click the file and allow it to merge with the registry. You may get an alert from MSAS........allow it.

     

    Then copy the contents of the quote box below to a blank notepad. Make sure the formatting remains the same.

    Close it, saving to your desktop as:

     

    File name: ico.bat

    Save As Type: All Files

     

    cd\windows\system32

    del /Q *.ico

    Double click the file to run it.

     

    Open Internet Options in the control panel and click Delete Cookies. Then empty the recycle bin. Do this from both the Bob and Denise user accounts.

     

    From either account, right click My Computer and choose properties. On the System Restore tab, check the box to turn off. Click OK to exit.

     

    Reboot.

     

    Turn System Restore back on.

     

    Run FindIt and Ewido again and post the logs.


  11. Locate and delete this file. C:\WINDOWS\system32\biU.exe

     

    Just as a double check, download FindIt's.zip to your desktop: Download Here

    • Create a new folder on your desktop
    • Unzip/extract the files inside that folder you created on your desktop.
    • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It may take awhile so please be patient ...
    • Then post the results here.

  12. You should print this out and/or save it to text where you can access it in safe mode.

     

    Check for updates to Ad-aware.

     

    Right click the desktop and choose new>folder. Name it HJT. Cut and paste HijackThis.exe to that folder.

     

    Scan again with HijackThis, check the following entries, close all other windows and click fix.

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: - {062A316C-5B17-4E5D-8272-2165428CE301} - C:\WINDOWS\lbbho.dll (file missing)

    O4 - HKLM\..\Run: [MessengerSettings] C:\WINDOWS\regsettings.exe

    O4 - HKCU\..\Run: [Atrs] C:\Documents and Settings\Ryan\Application Data\rrur.exe

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

     

     

    Either reboot and repeatedly tap F8 to enable the start menu then select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

     

    Now in safe mode, you will need to show hidden files and folders, as well as system files and extensions for known file types.

     

    Open C:\WINDOWS and rename the file regsettings.exe to regsettings.old. The copy you sent was corrupted and when tested had an error. I was unable to even extract it successfully. Please try sending another copy when back in Windows. I would also like you to check the properties before renaming and give me all the information available.

     

    Open C:\Documents and Settings\Ryan\Application Data and delete the file rrur.exe

     

    Delete all files/folders and shortcuts associated with Access Control.

     

    Open C:\Temp if present, select all and delete.

    Open C:\Windows\Temp, select all and delete.

    Open C:\Windows\Prefetch, select all and delete.

    Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all username folders.

    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.

     

    Open Ad-aware and run in full scan mode. Delete all it finds.

     

    Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

     

    If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

     

    Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

     

    Run another HijackThis scan and post the log.


  13. Was that scan done in safe mode?

     

    You will need to temporarily disable Microsoft AntiSpyware. Right click on the MSAS icon (looks like a target) and click on Security Agents Status (Enabled), then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

     

    Uninstall CrazyTalk in Add/Remove if you don't use or want it. Then delete CrazyTalk.dll in C:\Windows\system32 and any other associated files/folders.

     

    Scan again with HijackThis, check the following entries, close all other windows and click fix.

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

    O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

    O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINDOWS\System32\CrazyTalk.dll,DllServeMediaFile

    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

     

    Then click the config button, then misc tools. Click the Delete an NT Service button and type in SvcProc, then click OK. If successful, reboot and post a new HJT log. If the service cannot be deleted, reboot and try again.


  14. I would expect that kind of a drop when first starting ZA, but not for it to continue using it. Mine runs basically as a background task, using zero to 1% cpu unless changing a web page, refreshing, etc., but even then only spiking to 2 or 3%. In terms of memory usage, my highest right now is iexplore.exe, which has been open for about 6 hrs and is at 28,216k. ZA is at 6516k and has been running since I started my computer yesterday, about 20 hours ago.

     

    What version ZA are you using? Do you remember the exact error you get?


  15. Would you please zip a copy of C:\WINDOWS\regsettings.exe and attach it to an email to me at noahdfearATmsnDOTcom (replace AT with @ and DOT with a period). Put PCP rmal75 in the subject line.

     

    Then please download version 1.99.1 of HijackThis.exe here, place it in a new folder of it's own such as C:\HJT or desktop\HJT, then create and post a new log.

     

    Did you knowingly install Party Poker?


  16. I was very surprised to see you state that ZA is a resource hog. I've never experienced that. :mrsgreen: What kind of problems does it create for you?

     

    EZ Armor is Great, IMO. You won't find much difference in the firewall though. It uses a Computer Associates branded Zone Alarm. The antivirus is very good and lightweight. I won't be without it on one of my machines! ;)

×
×
  • Create New...