Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Posts posted by noahdfear


  1. Interesting! Neither of those logs contained any information I was hoping for/expecting. :shrug:

     

    One more, and then I'll write up a proposed fix for you, ok? I want to check for hidden dlls.

     

    Download this zip.

     

    http://www.downloads.subratam.org/pv.zip

     

    Unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Then run option 2 for IE dlls, and post it's log too. Usually pretty large and may take more than one post.


  2. Thank you! ;)

     

    Because this infection is relatively new, I'd like for you to do a bit more searching for us to see if we can identify what keeps putting it back. Download "Registry Search Tool" (RegSrch.vbs) from here

    http://www.billsway.com/vbspage/

    start it and paste in access control, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.


  3. The original task manager instructions were for XP (my assumption you were using it.......my bad :mrsgreen: ). In 98, if the process is listed, just click it to highlight and click End Task.

     

    I was referring to opening a command window from Start>Programs>Accessories in the event typing command at the run line didn't work.

     

    Once the command window is open, open your saved text file, highlight and copy the first command. Right click in the command window and paste, then hit enter. Repeat for the second command.


  4. Yes, all files will be included, since when you delete the uppermost folder, all files and sub-folders within it will be deleted also. ;)

     

    I've found RegSeeker to be a very good app. I have and do use it in the same way I described on my own computers as well as client's, and have made the same recommendation to many many users with only one occasion of something not working properly afterward. That was on an ME machine and was also a known issue. Check out some of the other features also, eg; options on the Histories menu and Tweaks. Do be careful while familiarizing though. RegSeeker is also very powerful, and removing the wrong thing could be fatal! :yikes:


  5. First, open task manager>processes tab and verify sockdebug.exe is not running. End task if it is. If it restarts, do the following procedure in safe mode.

     

    Click Start>run and type cmd, then hit enter to open a command window. Copy the commands below, one at a time and paste them on the command line, hitting enter after each. Note any error messages!

     

    attrib -h -r -s C:\WINDOWS\SYSTEM\sockdebug.exe

     

    del C:\WINDOWS\SYSTEM\sockdebug.exe

     

    Reboot and let me know if it's gone and stays gone.


  6. Hi plowdriver01!

     

    Please download the trial version of Ewido Security Suite here:

    http://www.ewido.net/en/download/

    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

     

    Please download Nailfix from here:

    http://www.noidea.us/easyfile/file.php?dow...050515010747824

    Extract the files to a folder of their own on the desktop but please do NOT run it yet. The files must be in a folder of their own!!

     

    Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

     

    Once in safe mode, open the folder containing naifix and double click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

     

    Then please run Ewido, and run a full scan. Save the logfile from the scan.

     

    Scan again with HijackThis and place a check next to the following entries if present. Close ALL other windows and click fix.

     

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R3 - Default URLSearchHook is missing

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

    O4 - HKLM\..\Run: [taqqpmo] c:\windows\system32\fhbmpas.exe r

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

     

     

    Delete the following file in bold if present.

    C:\WINDOWS\System32\fhbmpas.exe

     

    Open C:\Temp if present, select all and delete.

    Open C:\Windows\Temp, select all and delete.

    Open C:\Windows\Prefetch, select all and delete.

    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.

    Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

     

    If you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

     

    Please post a new HijackThis log, as well as the log from the Ewido scan.

     

    Did you knowingly install CrazyTalk?


  7. Hope you don't mind me adding $.02 here. :rolleyes:

     

    Just wanted to give you a bit more information about NVidia Driver Helper and Creative plugins (C:\WINDOWS\System32\nvsvc32.exe and C:\WINDOWS\system32\CTHELPER.EXE)

     

    Taken from answersthatwork.com

     

    NVIDIA Driver Helper Service which gets installed under Windows NT4/2000/XP/2003 by the NVIDIA drivers for some of their graphics cards (or graphics cards based on an NVIDIA chipset). We do not at this stage know what this process does except consume memory ! And we also have no idea as to what a “Driver Helper Service” is supposed to do !!

     

    Recommendation :

    This service is often responsible for various glitches, from significant shutdown delays to excessive memory usage. Disabling it, however, does not result in our experience in any ill-effect in regards to the proper operation of your NVIDIA or NVIDIA chipset graphics card, so we recommend that you definitely set the Startup Mode of this service to Disabled. You can do this by going to start>run, type services.msc, hit enter. Locate the service in the list and right click>properties. Stop the service, then disable, apply and OK out.

     

    CTHELPER is a background task that is a plug-in manager for Creative drivers. It first appeared with Creative’s SoundBlaster Live and Audigy soundcards. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. One of the very first uses of this interface has been for InterVideo’s WinDVD in the shape of a fix called "WinDVDPatch" and, at the time of writing 12-Jan-2003, there have not been other uses for it yet.

     

    Recommendation :

    Given its purpose CTHELPER would normally be classified as a "leave alone" background task. Unfortunately, as with many other Creative background tasks in these pages, there are often problems with CTHELPER. The most common complaint is random excess CPU utilization, up to 100% ! We have also had complaints of PCs freezing when CTHELPER is around, although that is probably also 100% CPU utilization. Additionally, on PCs running Intel’s Pentium 4 Hyper-Threading CPUs, the sound stutters. In short : CTHELPER is far more trouble than it is a help.


  8. Hi Joe!

     

    Unfortunately, that log doesn't show us what it found, only how many. :mrsgreen:

     

    I have to ask that you run MWAV again, this time with the instructions below. Sorry, I know it takes a long time. :shrug:

     

    Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower pane of the scanning window labled Virus Log Information and post it here.


  9. OK, it appears what I was looking for never got the chance to install itself or was removed by one of the antispyware apps. Ad-aware seems to be catching up with that nasty. :tup:

     

    My apologies for all the extra work. :beer: Feel free to delete the bat file and the GetLog text files in C:

     

    I also recommend you download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

     

    That will give you some added layers of protection against unwanted parasites


  10. Hi Spy Sweeper!

     

    Norton can quite frankly, be a pain. Do you still have the original installation cd/files? If so, I recommend you re-install it, then use the uninstaller provided with Norton to uninstall, rather than Add/Remove. Then see if you can uninstall Norton Rescue, then Live Update. If all of the above fails, you can try the brute force method I have used for Norton many times.

     

    First, download RegSeeker and extract to it's own folder. Reboot to safe mode, search for and delete all Norton and Symantec folders. Open RegSeeker and click 'Clean Registry'. When the scan is complete, verify the 'backup' box in the lower left corner is checked and click 'Select All', then select all again. Right click within the results and 'delete selected items'. Now repeat. Do this as many times as it takes to get a clean scan. Reboot back into Windows and do another clean registry. Norton should be gone. If it still shows in Add/Remove, select to remove. You should get a message that the files are missing and allowed to remove it from the list.

     

    Let us know how it goes. ;)


  11. Hi seremina!

     

    I saw something in your log that suggests you may still have an infection. Would you please do the following so we can check?

     

    Please copy the contents of the quote box below to a blank notepad. Make sure the formatting stays the same. Close it, saving to your desktop as;

     

    Filename : Getlog.bat

    Save as type : All Files

     

    regedit.exe /e C:\GetLog1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

    regedit.exe /e C:\GetLog2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall"

    cd C:

    copy C:\GetLog1.txt + C:\GetLog2.txt = C:\GetLog.txt

    start notepad C:\GetLog.txt

    del C:\GetLog1.txt

    del C:\GetLog2.txt

    del C:\GetLog.txt

    cls

    Double click the file to run it. A log will open in notepad. Please post the contents of that log. It may be quite large, so if necessary, split into two posts.

×
×
  • Create New...