Jump to content

Trogan

Trusted Malware Techs
  • Content Count

    156
  • Joined

  • Last visited

Everything posted by Trogan

  1. Trogan

    my hjt

    OK, so the main problem at the moment is that your internet does not work with SpySweeper? I'm going to see what I can find. I will post back when I can.
  2. Trogan

    my hjt

    I'm a bit lost here. Could you explain what I bolded in the quote please? The bolded two above: I'm not sure if I've seen a google address with "ie" at the end. You might want to remove that unless you know what it is. And the comcast has a ":" (semi colon) in the name. Therefore, the address is not right, so not sure if that would cause a problem. You should correct these and see if they make a difference.
  3. Trogan

    my hjt

    Lets try a reg fix: Open Notepad! Copy and Paste everything from the Quote box into Notepad: Go to File > Save As Save File name as Fix.reg Change Save as Type to All Files and save the file to your desktop. Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK Reboot your computer! Let me know if that helps.
  4. Trogan

    my hjt

    So we've narrowed it down to SpySweeper. What I suggest you do is run a scan with SpySweeper in Safe Mode. Let me know if that helps.
  5. Trogan

    my hjt

    Hi rgsmile! SpySweeper, WinPatrol and Windows Defender are all monitoring programs. So what is likely happening here is when one of those programs tries to make a change, i.e. remove Virusbursters, another one brings it back and we're back to square one. Generally it is not a good idea to have more than one monitoring program as they can cause confusion such as in this case. You should select one program to be your main monitoring program and DISABLE the others as instructed previosly in this thread. Please do this and let me know if your still getting alerts.
  6. Trogan

    my hjt

    Thanks for the new log. It came back clean, which I thought it would. I'm getting the registry entries checked out. Be back shortly.
  7. Trogan

    my hjt

    Hi rgsmile! There is a newer version of SmitfraudFix that came out yesterday. You currently have v2.117, and the new version is 2.119. Lets update SmitfraudFix and see what it finds. Open SmitfraudFix.cmd and press 4 to check for updates. Once updated, run Option 1 to produce a new log. Please post that here. Also, tell me if you see the Virusbursters folder in Program Files. C:\Program Files\Virusbursters <-- This folder
  8. Trogan

    my hjt

    OK, lets check the registry: 1. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop. 2. Download Registry Search to your desktop. Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop. Open the new folder, and double click on regsearch.exe Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself. Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report. Please reply here with the entire contents of the Notepad file from RegSearch.
  9. Trogan

    my hjt

    Hi rgsmile You can enable the protection for the programs again, if you would like - I suggest you do. I should have mentioned this earlier, but its likely the reason why the new WinPatrol gave you alerts was because its a new install so its just making sure everything is how you want it. As for the Silent Runners log, its not showing any bad. Let me know if your still getting alerts after enabling the protection for Windows Defender, SpySweeeper and WinPatrol.
  10. Trogan

    my hjt

    That is clean. Lets check a deeper. Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners. Save it to the desktop. Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop. You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!) Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here. *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  11. Trogan

    my hjt

    OK, lets try this: I need you to DISABLE some programs and run SmitfraudFix again, WinPatrol Right-click the running icon of Winpatrol in the system tray and choose Exit. It will automatically restart at next boot. SpySweeper 1. Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup". 2. On the left click "shields" and then uncheck everything there. 3. Uncheck "home page shield". 4. Uncheck "automatically restore default without notification". 5. Exit the program. Windows Defender 1. Open Windows Defender. 2. Click on Tools > General Settings. 3. Scroll Down and Uncheck Turn on real-time Protection (recommended). 4. After you uncheck these, click on the Save button and close Windows Defender. 5. Right click on the Windows Defender icon on the taskbar and select Shutdown Windows Defender. Run Option 1 in SmitfraudFix and post the log here please. What you are getting is normal and is part of the Windows process. Temp files can easily be deleted and are safe to do so. Please turn System Restore back on. If anything goes wrong, you will not having any restore points to fall back on. Please do what I suggested above.
  12. Trogan

    my hjt

    OK, the SmitfraudFix log found one baddie; lets get it removed. Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. Please download Ewido to your Desktop or to your usual Download Folder. http://www.ewido.net/en/download/ Install Ewido by double clicking the installer. Follow the prompts. Make sure that Launch Ewido is checked. On the main screen under Your Computer's security. Click on Change state next to Resident shield. It should now change to inactive. Next to Last Update, click on Update now. (You will need an active internet connection to perform this) Wait until you see the Update succesfull message. Note: If the Update now option is grayed out, follow the steps below. Click on Update on the toolbar. Under Manual update, click on the Start Update button. Wait until you see the Update succesfull message. [*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes. If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates. Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update. ______________________________ Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. ______________________________ Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ______________________________ Navigate to C:\Windows\Temp Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin. Clean out your Temporary Internet files. Proceed like this: Quit Internet Explorer and quit any instances of Windows Explorer. Click Start, click Control Panel, and then double-click Internet Options. On the General tab, click Delete Files under Temporary Internet Files. In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK. On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK. Click OK. Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok. Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin. ______________________________ Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan. Click on Scanner on the toolbar. Click on the Settings tab. Under How to act? Click on Recommended Action and choose Quarantine from the popup menu. Under How to scan? All checkboxes should be ticked. Under Possibly unwanted software: All checkboxes should be ticked. Under Reports: Select Automatically generate report after every scan and uncheck Only if threats were found. Under What to scan? Select Scan every file. Click on the Scan tab. Click on Complete System Scan to start the scan process. Let the program scan the machine. When the scan has finished, follow the instructions below. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) At the bottom of the window click on the Apply all Actions button. (3) When done, click the Save Scan Report button. Click the Save Report as button. Save the report to your Desktop. Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes. Reboot in Normal Mode. ______________________________ Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #3 - Delete Trusted zone by typing 3 and press Enter. Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ______________________________ Please post: c:\rapport.txt AVG anti-spyware log A new HijackThis log You may need several replies to post the requested logs, otherwise they might get cut off.
  13. Trogan

    my hjt

    Virusbursters is one of many variants of the Smitfraud infection. There is a tool to identify and remove the infection, so lets give it a run and see what it produces. Download SmitfraudFix (by S!Ri) to your Desktop. http://siri.urz.free.fr/Fix/SmitfraudFix.zip Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop. Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press Enter This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. IMPORTANT: Do NOT run any other options until you are asked to do so!
  14. Trogan

    my hjt

    Hi rgsmile, Your log is clean. Are you having any specific issues?
  15. Hi, Sorry for the delay. Lets continue... Open Notepad! Copy and Paste everything from the Quote box into Notepad: Go to File > Save AsSave File name as Fix.reg Change Save as Type to All Files and save the file to your desktop. Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK ________________________________________ Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version... Updating Java: Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Check the box that says: "Accept License Agreement." The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove the following...J2SE Runtime Environment 5.0 Update 6 Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version. ________________________________________Your log is clean - Good Job! You can delete SmitfraudFix, VundoFix, ComboFix and the fix.reg file as they are not needed anymore. If you don't have anymore problems, then here are some measures you can take to stay more secure online: Secure your Internet Explorer by going here and following the instructions there. Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera. Use a firewall to help prevent your PC(s) from being usurped by undesireables. If you don't have a Firewall, then choose one from the list here Install an Anti-Virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have an Anti-Virus program, choose one from the list here Install and keep updated, Ad-Aware SE and Spybot Search & Destroy. Run them both on a regular basis, following the manufacturer's recommendations. Install and keep updated, SpywareBlaster and SpywareGuard Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others. Clear your Temp folders. Go to Start > Control Panel > Internet Options. Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked Temporary Files Temporary Internet Files Recycle Bin and then press "OK" to remove: Go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete. Empty/delete the entire contents from within the following folders: C:\Windows\temp C:\temp <-- if you have one. Note: Empty the contents but do not delete the folder(s). Clear out temp files from the following location. Change "username" to whatever you have on your computer. C:\Documents and Settings\username\Local Settings\Temp\ In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. Empty the Recycle Bin! Hide system files It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake. To hide system files and folders, do the following for your operating system... Windows XP * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading, uncheck Do not show hidden files and folders * Check the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. For XP users. It's a good idea to Flush your System Restore points after ridding yourself of malware: You can clean this by doing the following: Click Start | Help and Support | Undo changes to your computer with System Restore. Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close. Close the Help and Support Center box. Click Start | Run and type Cleanmgr Select (C: ) then click OK. Click the More Options tab. Click Clean Up in the System Restore Section. This will remove all previous restore points except the newly created one. =============== If you have any more problems, post back. Otherwise, respond once more so we may archive this thread.
  16. Thanks for doing that! I'm still waiting for something to be checked. Sorry for the delay.
  17. Hi LJK, I'm glad everything is working again. I assume you have removed the HijackThis entries, and deleted the folders? If so, could you also run the Ewido scan please. It would remove any leftovers plus extra.
  18. Hi, I'm getting something checked out, hopefully it won't be long. But for now, can you rename HijackThis to HJT and post a new log please.
  19. Hi LJK! Thanks for getting a Firewall...lets continue. Open HijackThis - Click the Do a system scan only button - Check the following entries (below) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: (no name) - {5CF6DE82-E459-0269-2EB5-20B91EB95C46} - C:\DOCUME~1\MYPC~1\APPLIC~1\AMENSE~1\Dog1.exe (file missing) O3 - Toolbar: (no name) - {B070220A-2CA1-5926-8A09-07928F2C470C} - (no file) O4 - HKLM\..\Run: [First Find Intra Bird] C:\Documents and Settings\All Users\Application Data\interdebugfirstfind\Setup slow.exe O4 - HKLM\..\Run: [Trust Dead Help Win] C:\Documents and Settings\All Users\Application Data\Software Play Trust Dead\Barb Soft.exe O4 - HKCU\..\Run: C:\DOCUME~1\MYPC~1\APPLIC~1\BALMNA~1\mix proxy love.exe - Close ALL open windows (especially Internet Explorer!) - Click Fix Checked Close HiajckThis ===== We need to view hidden files and folders: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. ===== Find and Delete the following: C:\Documents and Settings\All Users\Application Data\interdebugfirstfind <-- This folder C:\Documents and Settings\All Users\Application Data\Software Play Trust Dead <-- This folder C:\Documents and Settings\MYPC~1\Application Data\BALMNA~1 <-- This folder (The folder starts with BALMNA) ===== You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode! Please download Ewido to your Desktop or to your usual Download Folder. http://www.ewido.net/en/download/ Install Ewido by double clicking the installer. Follow the prompts. Make sure that Launch Ewido is checked. On the main screen under Your Computer's security. Click on Change state next to Resident shield. It should now change to inactive. Next to Last Update, click on Update now. (You will need an active internet connection to perform this) Wait until you see the Update succesfull message.Note: If the Update now option is grayed out, follow the steps below. Click on Update on the toolbar. Under Manual update, click on the Start Update button. Wait until you see the Update succesfull message. [*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes. If you are having problems with the updater, you can use this link to manually update ewido. Ewido manual updates. Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update. Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. Once in Safe Mode: Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan. Click on Scanner on the toolbar. Click on the Settings tab. Under How to act? Click on Recommended Action and choose Quarantine from the popup menu. Under How to scan?All checkboxes should be ticked. Under Possibly unwanted software: All checkboxes should be ticked. Under Reports: Select Automatically generate report after every scan and uncheck Only if threats were found. Under What to scan? Select Scan every file. Click on the Scan tab. Click on Complete System Scan to start the scan process. Let the program scan the machine. When the scan has finished, follow the instructions below.IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) At the bottom of the window click on the Apply all Actions button. (3) When done, click the Save Scan Report button. Click the Save Report as button. Save the report to your Desktop. Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes. Reboot back into Normal Mode, and post a new HJT log, along with the Ewido log.
  20. Lets try this: Can you download ComboFix from here. Save it to your desktop BUT don't do anything with it! (Make sure it is saved to your Desktop) Go to Start > Run > copy and paste "%userprofile%\desktop\combofix.exe" /v autdev Click "OK" to exit, then reboot the system. Once rebooted, post a new HijackThis log please.
  21. Did you copy and paste C:\WINDOWS\system32\vedtua.* into the second box? Let mw know, and we can try another method.
  22. Hi yoyocool2...it looks like Smitfraud is gone, but Vundo has come back again. Go here to Upload Malware Fill out the infomation, and post the link to this thread. In the File(s) To Submit: box 1. copy and paste the following: C:\WINDOWS\SYSTEM32\autdev.dll Click on Send File and close the page Lets use VundoFix again, but slightly different than before.Double-click VundoFix.exe to run it. Right Click inside the listbox (white box) and click Add more file? Copy & Paste the 2 entries below into the top 2 boxesC:\WINDOWS\SYSTEM32\autdev.dll C:\WINDOWS\system32\vedtua.* Click Add Files and click Close Window Click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will shutdown your computer, click OK. Turn your computer back on. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  23. Hi LJK, Please install a Firewall and post a new HijackThis log. Then, download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.
  24. Hi LJK, While we work to solve your problem, please do not you any Peer2Peer programs to download, accept what I ask you to. You need to get a Firewall as instructed in my last post. If you are having problems with one of them, try the next one. If you cannot install any, please let me know what happens i.e error messages? ===== Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present: Live.0nline.Po rtal << I can't find any info on this so uninstall it, unless you know that it is safe LiveUpdate << Belongs to Norton, which you do not have anymore. It can go! Living Beaches Wallpaper #2 << Uninstall if you do not need this ===== Delete the current NoLop program if you still have it, and lets redownload and start again. Please Download NoLop to your desktop from one of the links below... Link 1 Link 2 Link 3 First close any other programs you have running as this will require a reboot Double click NoLop.exe to run it Carefully type or copy and paste this series of characters into the lower text area labelled Insert CLSID Here. Include the {}: {5CF6DE82-E459-0269-2EB5-20B91EB95C46} Now click the button labelled "Search and Destroy"<<your computer will now be scanned for infected files>> When scanning is finished you will be prompted to reboot only if infected, Click OK Now click the "REBOOT" Button. A Message should popup from NoLop. If not, double click the program again and it will finish. Please Post the contents of C:\NoLop.log along with a fresh HijackThis log. Also post a new Uninstall list please. --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--
×
×
  • Create New...