insipid
-
Content Count
26 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by insipid
-
-
Well, this log is from Normal Mode, well done
. You can leave that 06 entry if you're not sure about it. The only thing I see that's left is this line:O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
WildTangent is thought to collect data regarding your surfing habits and report back to it's controlling server. I suggest removing it, but the choice is yours. If you choose to remove it, fix the entry with HJT and then remove 'WildTangent' in Add/Remove Programs.
Other than that, your log is clean. How's it running?
To reduce re-infection potential for malware in the future:
Please read Tony Klein's article: So how did I get infected in the first place?.
It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us regularly and install ALL critical updates.
It would be a good idea to install a firewall if you don't have one . Here are a few free ones:
I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.
Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.
Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.
-
Dankwsc, that actually did quite a bit of good. We have more to do, though.
Please first save these directions to the desktop as a text file, because you will need to copy and paste part of them later, once we are in Safe Mode.
Click Start >> Run
Type "services.msc" (without the quotes) in the run box that pops up.
Locate Awlwsterkfp, right-click on it and select 'Properties'.
Click 'Stop'.
Set 'Startup Type' to 'Disabled'.
Exit services.msc.
1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
3) Once in Safe Mode, please run Killbox.
4) Select "Delete on Reboot".
5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\winnt\system32\xdkbyxru.exe
C:\WINNT\wupdt.exe
6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
Rescan with HijackThis and place a checkmark next to the following entries:
O4 - HKLM\..\Run: [xdkbyxru] c:\winnt\system32\xdkbyxru.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O23 - Service: Awlwsterkfp - Unknown owner - (no file)
Did you, an Administrator, or a program such as Spybot Search & Destroy set the following restriction? If not, fix it too.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.
Reboot normally and post a fresh HJT log for review. If you still can't get one from Normal Mode, redownload HijackThis from Here .
Unzip it to the same folder you have HJT in now, allowing it to overwrite the current version. If it still doesn't work, go ahead and post a log from Safe Mode.
-
Go ahead and do the HijackThis fixes in Safe Mode, then post a new log, even if it's from Safe Mode too. We'll see where we're at
. -
chupzy, there's still one bad process showing in your log.
C:\WINNT\System32\irftp.exe is a variant of the W32/SDBOT worm.
Please run both of these online virus scans: Trendmicro Housecall....Panda Active Scan
- For Housecall, select the 'Autoclean' option. Please tell me of any files it can't clean.
- For Panda, use the default settings and save the log it generates to post in your next reply.
Reboot and post a fresh HijackThis log as well as the Active Scan report
. - For Housecall, select the 'Autoclean' option. Please tell me of any files it can't clean.
-
Please proceed with the fix without updating Ewido. We'll work it out.
-
Dankswsc, since I haven't heard back I'm going to work with this log. You have quite a mess there, so this may take a few posts to clear up.
First, download and install CleanUp! but do not run it yet *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
Download, install, and update Ewido Security Suite
- Install ewido security suite
- Launch ewido, there should be a big E icon on your desktop, double-click it.
- The program will prompt you to update click the OK button
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido
Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Once in Safe Mode, Run Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
After you're done running Cleanup! follow the instructions below
- Run Ewido.
- Click on scanner
- Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
[*]Click on Start Scan
[*]Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report
- Save the report to your desktop
Reboot into normal mode.
Go to Start > Control Panel > Add or Remove Programs and remove the following:
SpySheriff
Exit Add or Remove Programs.
Delete the following, in bold, if found:
C:\Program Files\SpySheriff <-whole folder
C:\Windows\Desktop.html
C:\winstall.exe
Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html
R3 - URLSearchHook: (no name) - {C6000CE3-6670-D005-3C35-F82D96F63836} - NsCplTray.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll
O2 - BHO: Internet Explorer Hot Fix - {D849BA66-677C-421A-9916-FCFB5D6B9A75} - C:\WINNT\system32\itunb.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll
O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINNT\System\svchost.exe /s
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn64.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [abrek] PasswdMon.exe
O4 - HKLM\..\Run: [MONITER] DTOURS.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [eB7mRPfsj] aamcom.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [setupExeDll] RtlFindVal.exe
O4 - HKCU\..\Run: [keybdll] SysEntry.exe
O4 - HKCU\..\Run: [xxtoolbar] 34763.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C...e/bridge-c7.cab
O20 - Winlogon Notify: style2 - C:\WINNT\q20924938_disk.dll
O23 - Service: Awlwsterkfp - Unknown owner - (no file)
Close HiJackThis.
Please delete these Folders and Files using Windows Explorer:
C:\WINNT\q20924938_disk.dll << This file
C:\Program Files\WareOut << This folder
C:\Program Files\WareOut\WareOut.exe << This file
* 34763.exe << This file
* SysEntry.exe << This file
* RtlFindVal.exe << This file
C:\Program Files\WareOut\WareOut.exe << This file
* aamcom.exe << This file
* winole.exe << This file
* DTOURS.exe << This file
* PasswdMon.exe << This file
C:\WINNT\system32\popcorn64.exe << This file
C:\WINNT\System\svchost.exe << This file
C:\Program Files\PSGuard << This folder
C:\WINNT\system32\perfcl.exe << This file
C:\WINNT\system32\vfxrc.dll << This file
C:\WINNT\system32\itunb.dll << This file
C:\WINNT\system32\vfxrc.dll << This file
C:\WINNT\ceres.dll << This file
* Locate via Start > Search
RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.
Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, please reboot your computer.
You should be able to change your desktop back to normal now.
Post the report from Ewido and a new HiJackThis log into this topic.
- Install ewido security suite
-
Ok, do what you can. If you can only get a log from Safe Mode, so be it. We'll work with what we have.
-
I apologize, I didn't get the email notification that you had replied. Please post one more HijackThis log to be sure you got it all
. -
chupzy,
I see you're running Microsoft Anti-spyware, and this is good, but it may interfere with our fixes. Please disable it for the time-being by right-clicking it's icon in the System Tray and selecting 'Shut Down...'.
Rescan with HijackThis and place a checkmark next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oemji.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://203.125.138.181:83/sop/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitenbt32.exe
Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.
Please remove these entries from Add/Remove Programs in the Control Panel(if present):
Elitebar Internet Explorer Toolbar (or similar)
Oemji Toolbar
Please delete these files using Windows Explorer(if present):
C:\winnt\system32\elitenbt32.exe
Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.
Reboot and post a fresh HJT log for review.
-
User posted new topic, being helped here http://www.besttechie.net/forums/index.php...&st=0&p=26295
-
chupzy, I'm looking over your log now, I'll have a reply for you soon.
-
Hi Dankwsc, I'm guessing the forum you were being helped at is Spywareinfo
. That's my home forum, so it's only fitting that I should continue. Can you tell me the name of the helper that was working on your log so I can inform him/her, so they don't take the time to respond to your log when SWI gets back online?The HijackThis log you posted appears to be done in Safe Mode. Please post a log from Normal Mode, it's important I see everything that's running, and I'll be happy to help. Also, can you tell me what you mean when you say your Internet is "useless"? Is it that you can't get online at all, or that it's too messed up to do anything? I'd say we need to fix that as quickly as possible.
-
I wish I could have helped more. Let me know how it turns out
. -
Vile_DR, other than the Limewire thing, this looks great. In way of general cleanup, I have a couple of recommendations:
MWAV detects WildTangent as a possible threat, Panda Active Scan does as well. I generally propose it as an optional fix, so I will do so here as well. It's unnecessary and possibly malicious. I suggest uninstalling WildTangent via Add/Remove Programs in the Control Panel (if it's there) and then deleting this directory:
C:\Documents and Settings\mboree\Local Settings\Application Data\Wildtangent\
The other threats MWAV found are in the System Restore cache, you may want to purge it:
Go to Start->Control Panel->System, System Restore. Click "Turn off System Restore". That will erase all restore points. You will be prompted to reboot. When Windows restarts, immediately go back in and uncheck "Turn off System Restore" to re-enable it. Windows will automatically create a new restore point.
Did you try the Internet Explorer repair/reinstall yet? If Firefox is working fine, I'd say that's the next logical step, to eliminate a corrupt IE as a culprit. Let me know
. -
If the problem is with Internet Explorer itself, this article describes how to repair or reinstall it http://support.microsoft.com/default.aspx?kbid=318378.
It could be malware, however, that HijackThis isn't seeing. We can try some other detection tools to get a closer look.
Please download the free MWAV antivirus tool from here:
ftp://ftp.microworldsystems.com/download/tools/mwav.exe
Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window.
Also download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.
On a side note, I've been recommending removing Limewire and installing a 'clean' P2P application(as an optional fix) for some time. In the past, Limewire was bundled with malware. The newest version is supposed to be clean, but I don't know what the next update will contain. It's your bosses choice, clean alternatives can be found here http://www.spywareinfo.com/articles/p2p
Please post a fresh HijackThis log, as well as the results mentioned above.
-
Vile_DR, at first inspection, I don't see anything wrong with your log. Are you involved in a business relating to aircraft? Please describe your problem in as much detail as you can so as to help me help you :)l.
-
Exodus, that's a clean log (finally)
. Windows System Restore can and does backup malware files which can then be reinstalled if you ever restore to a previous point. To prevent this, we need to purge your Restore points:
Go to Start->Control Panel->System, System Restore. Click "Turn off System Restore". That will erase all restore points. You will be prompted to reboot. When Windows restarts, immediately go back in and uncheck "Turn off System Restore" to re-enable it. Windows will automatically create a new restore point.
To reduce re-infection potential for malware in the future:
Please read Tony Klein's article: So how did I get infected in the first place?.
It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us regularly and install ALL critical updates.
It would be a good idea to install a firewall if you don't have one . Here are a few free ones:
I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.
Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.
Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.
-
Ok, Exodus, that's a clean log. We still have a bit of work to do, though. Now we need to see if we need to restore some deleted files:
Please check for the following files using the Windows Search Engine (Click Start >> Search >> All Files and Folders):
control.exe
rundll32.exe
wmplayer.exe
msconfig.exe
notepad.exe
shell.dll
SDHelper.dll
If any are missing or not working properly then you can download new copies from Merijn's Files and follow the instructions at that site to installthem where they belong for your OS.
Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
Finally, post one more HJT log to be certain you're still clean
. -
Exodus, this infection is usually quite easy to fix. Yours is being stubborn, so let's go about it a different way.
Download this file and unzip it to your desktop
Then, Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.
Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.
If an update is available download it and install it. Click the "Finish" button to go back to the main screen.
Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Check the "Automatically quarantine objects prior to removal" setting and then click "Proceed" to save your changes
Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a "green" checkmark:
Scan within archives
Scan active processes
Scan Registry
Deep-scan Registry
Scan my IE Favorites for banned URLs
Scan my Hosts File
Then click on the "Tweak" Button to open up the tweak settings.
Open up the Scanning Engine section and make sure all of the following are On with a "green" checkmark:
Scan registry for all users instead of current user only
Make sure the following is unchecked with a "red" X:
Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure all of the following are On with a "green" checkmark:
Always try to unload modules before deletion
During Removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot.
Click the "Proceed" button to save settings.
Don't scan yet. We will do it in safe mode.
Ensure hidden files and folders are set to show;
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called Workstation NetLogon Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.
Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
While in safe mode, double click on the cwsserviceemove.reg file you downloaded at the beginning. Grant it permission to add the registry items.
Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.
Bring up task manager Ctrl-Alt-Del and end these processes if they are present
d3ci.exe
addxo32.exe
Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.
C:\WINDOWS\mbcir.dll
C:\WINDOWS\system32\javazi.dll
C:\WINDOWS\system32\d3ci.exe
C:\WINDOWS\system32\addxo32.exe
Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mbcir.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mbcir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mbcir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mbcir.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mbcir.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mbcir.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mbcir.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E14C016F-0342-89AD-D475-D4092601854E} - C:\WINDOWS\system32\javazi.dll
O4 - HKLM\..\Run: [d3ci.exe] C:\WINDOWS\system32\d3ci.exe
O4 - HKLM\..\RunOnce: [addxo32.exe] C:\WINDOWS\system32\addxo32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntro32.exe (file missing)
The following step is important as you may have several malware files in your temp directories.
Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Window\Temp folder and delete all files and folders in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.
Now navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. Post the log file in your next reply.
Scan with Adaware by opening it and clicking the "Next" button to start the scan.
When the scan is completed the Performing System Scan screen will change name to "Scan Complete".
Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available.
Click the Critical Objects Tab. In general all of the items listed will be bad. Be carefull with the Hosts file entries. Malware uses the hosts file to redirect you websites. However you can use the hosts file as a way to prevent malware. If the object has 127.0.0.1 in it, it should most likely not be deleted as it is protecting against unwanted sites. For more information on how to use a host file to protect yourself read here. So in short, you may or may not want to fix the hosts file entries.
To fix all the bad critical objects do the following:
Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. In general all should be selected with the exception of the good hosts file entries.
When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.
Now reboot,and run hijackthis again and post a fresh log along with the about buster log.
- Click Start.
-
Exodus,
Rescan with HJT and place a checkmark next to the following entries:
O2 - BHO: (no name) - {E14C016F-0342-89AD-D475-D4092601854E} - C:\WINDOWS\system32\javazi.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntro32.exe (file missing)
Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.
Please delete this file using Windows Explorer(if present):
C:\WINDOWS\system32\javazi.dll
Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.
Reboot and post a fresh HJT log for review.
-
Exodus, I see you're still here. That log is looking much better, good job!! You killed three different infections in one shot. We have some more work to do, I'll post more instructions in a few minutes
. -
Ok, Exodus, let's try this again.
You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
Locate Pocket Killbox that you downloaded and run Killbox.exe.
Select "Delete on Reboot".
Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\osjzi.dll
C:\WINDOWS\system32\crty.exe
C:\WINDOWS\system32\winge32.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
- Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".
- Double-click on CWShredder.exe.
[*]Run AboutBuster and save the logs:
- Browse to where you saved AboutBuster and run AboutBuster.exe.
- Click "OK" at the directions Read: Important! prompt.
- Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
- Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
- Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
- Click "Exit" and "Exit" again to exit AboutBuster.
[*]Clean out temporary files:
- Start | Run | type cleanmgr | OK
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Click "OK" to remove them.
- Click "Yes" to confirm the deletion.
[*]Restart your computer normally to return to normal mode.
Next, please disable SpySubtract again, as well as Microsoft Antispyware, as they may interfere with our fixes.
Rescan with HijackThis and place a checkmark next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\osjzi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\osjzi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\osjzi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\osjzi.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\osjzi.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\osjzi.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\osjzi.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8C8CD343-933E-8BEC-044F-BDA8B07DAA26} - C:\WINDOWS\system32\crmb32.dll
O4 - HKLM\..\Run: [crty.exe] C:\WINDOWS\system32\crty.exe
04 - HKLM\..\RunOnce: [winge32.exe] C:\WINDOWS\system32\winge32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntro32.exe (file missing)
Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.
Reboot normally and post a fresh HJT log for review.
- Run CWShredder:
-
Well, that didn't work at all. We're going to have to get serious with this. The file responsible for this infection is changing names at every reboot. Let's find it and kill it.
Please download Pocket Killbox by Option^Explict here http://www.subratam.org/?page=removal and unzip it to a convenient location. Don't run it yet.
Post a new HJT log, and please don't reboot or power down your computer until I respond with instructions.
-
Hi Exodus,
I see you're running SpySubtract. That's good, but it may interfere with our fixes. Please disable it by right-clicking it's icon in the System Tray at the bottom right corner of your screen and selecting 'Exit'.
We need to disable the bad service in this infection. To stop a service and set to 'disabled':
- Go to Start > Run and type in Services.msc then click OK
- Click the Extended tab.
- Scroll down until you find the service Workstation NetLogon Service.
- Click once on the service to highlight it.
- Click Stop
- Right-Click on the service and select 'Properties'
- Select the 'General' tab
- Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
- From the drop-down menu, click on 'Disabled'
- Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled. Exit services.msc.
Rescan with HijackThis and place a checkmark next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oqmpf.dll/sp.html#49693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oqmpf.dll/sp.html#49693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oqmpf.dll/sp.html#49693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oqmpf.dll/sp.html#49693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oqmpf.dll/sp.html#49693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oqmpf.dll/sp.html#49693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oqmpf.dll/sp.html#49693
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ntth.exe] C:\WINDOWS\system32\ntth.exe
O4 - HKLM\..\RunOnce: [javacg.exe] C:\WINDOWS\javacg.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntro32.exe (file missing)
You're running Spyware Vanisher, which is on the Rogue/Suspect Anti-Spyware Products here http://www.spywarewarrior.com/rogue_anti-s...re.htm#products. I suggest uninstalling it. Here's the entry to fix with HJT, and you will need to uninstall the main program as well:
O4 - HKCU\..\Run: [spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
Did you or Comcast intentionally put Internet Explorer in your startup folder? If not, or if you don't want IE to launch at startup, fix this entry too:
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.
Please remove these entries from Add/Remove Programs in the Control Panel(if present):
Spyware Vanisher (if you chose to fix it with HJT)
Please delete this folder using Windows Explorer(if present):
c:\spywarevanisher-free\ (again, if you chose to fix it)
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\system32\ntth.exe
C:\WINDOWS\javacg.exe
C:\WINDOWS\ntro32.exe
Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.
Reboot and try to run Housecall again.
Post a fresh HJT log and tell me of any complications you had.
- Go to Start > Run and type in Services.msc then click OK
Browser Hijacked-please Help!
in Malware Removal
Posted
You could uninstall Ewido, the real-time protection is only a 14-day trial, but it's good to keep around for scanning purposes, you can still use it for that afterwards. I very much doubt it or HJT are blocking your connection.
Can you describe your connection difficulties in more detail?