therock247uk

Members
 View Profile  See their activity

  • Content Count

    960

  • Joined

  • Last visited

 Content Type 

Posts posted by therock247uk

  1. Infected Pc

    in Malware Removal

    Posted

    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

    You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

    Download about:buster by RubbeRDuckY Here.

    Download CWShredder Here.

    Download SpSeHjfix Here.

    Download and install CleanUp! Here

    Save all of these files somewhere you will remember like to the Desktop.

    Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

    Run the CleanUp! installer. You dont need to do anything with it right now.

    Update About:Buster

    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
    • Now close About:Buster

    Update CWShredder

    • Open CWShredder and click I AGREE
    • Click Check For Update
    • Close CWShredder

    Boot into Safe Mode:

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please run about:buster by RubbeRDuckY:

    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
    • Reboot your computer into safe mode again

    Run about:buster again following the same instructions as above, this time without the restart at the end

    Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

    Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

    Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

    Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

    After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

    Good Luck

  2. Is My Computer Infected ?

    in Malware Removal

    Posted

    Your log is clean :)

    Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

    • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
    • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
    • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
    • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

    To protect yourself further:

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

    I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

    Credit to PGPhantom for canned speech.

  3. I'm Infected Too! <ab>

    in Malware Removal

    Posted

    1.

    Download about:buster by RubbeRDuckY Here.

    Save the file somewhere you will remember like to the Desktop.

    Please run about:buster by RubbeRDuckY:

    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
    • Boot into safemode again
    • Open About:buster again
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.

    3. Reboot and Download and run http://cwshredder.net/bin/CWShredder.exe click fix.

    4. Then post the about:buster log and a new Hijackthis log here in a reply.

  4. Is My Computer Infected ?

    in Malware Removal

    Posted

    1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

    O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe

    3. Reboot and delete the folders. (if present)

    C:\WINDOWS\System32\picsvr

    4. Then post a new Hijackthis log here in a reply.

  8. About:blank Hijack

    in Malware Removal

    Posted

    Your log is clean :)

    Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

    • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
    • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
    • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
    • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

    To protect yourself further:

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

    I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

    Credit to PGPhantom for canned speech.

  10. About:blank Hijack

    in Malware Removal

    Posted

    1. Go into safemode by tapping f8 when the PC starts up you will get a menu select safemode.

    2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

    O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINNT\system32\msasmsn7.dll (file missing)

    O4 - HKLM\..\Run: [sndPnpMix] C:\WINNT\system32\wauctlxp4.exe

    3. Delete the files.

    C:\WINNT\system32\wauctlxp4.exe

    4. Reboot back into normal mode and post a new Hijackthis log here in a reply.

  11. About:blank Hijack

    in Malware Removal

    Posted

    1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis. If Spywareguard asks you for any changes say yes.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,

    O2 - BHO: (no name) - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINNT\system32\msasmsn7.dll

    O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe

    O4 - HKLM\..\Run: [sndPnpMix] C:\WINNT\system32\wauctlxp4.exe

    2. Reboot and delete the files.

    C:\WINNT\system32\msasmsn7.dll

    C:\WINNT\system32\perfcl.exe

    C:\WINNT\system32\wauctlxp4.exe

    3. Then post a new Hijackthis log here in a reply.

  13. Hijack Log - Apparent Cws Trojan Infection

    in Malware Removal

    Posted

    Your log is clean :)

    Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

    • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
    • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
    • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
    • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

    To protect yourself further:

    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

    I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

    Credit to PGPhantom for canned speech.

  15. Monitor/video Card Problems

    in Malware Removal

    Posted

    1. Go to Start > Settings > Control panel > Add/remove and uninstall Viewpoint Manager.

    2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

    O4 - HKLM\..\Run: [6dt1iphf.exe] C:\WINDOWS\6dt1iphf.exe /dk

    O4 - Startup: 6dt1iphf.lnk = C:\WINDOWS\6dt1iphf.exe

    O4 - Global Startup: 6dt1iphf.lnk = C:\WINDOWS\6dt1iphf.exe

    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...dra/ext360.html

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/118923f433b4c09d2f00/...ip/RdxIE601.cab

    O20 - Winlogon Notify: Guardian - C:\WINDOWS\system32\msg121.dll (file missing)

    3. Reboot and delete the files.

    C:\WINDOWS\6dt1iphf.exe

    C:\WINDOWS\system32\msg121.dll

    4. Then post a new Hijackthis log here in a reply.

  16. Hijack Log - Apparent Cws Trojan Infection

    in Malware Removal

    Posted

    1.

    Download about:buster by RubbeRDuckY Here.

    Save the file somewhere you will remember like to the Desktop.

    Please run about:buster by RubbeRDuckY:

    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
    • Boot into safemode again.
    • Open About:buster again
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.

    2. Reboot back into normal mode and download http://osc.geekstogo.com/cwsserviceremove.reg run it it will ask to merge into the registery say yes.

    3. Download and run http://cwshredder.net/bin/CWShredder.exe click fix.

    4. Then post the about:buster log and a new Hijackthis log here in a reply.

  17. Hijack Log - Apparent Cws Trojan Infection

    in Malware Removal

    Posted

    1. Go into safemode again.

    2. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchby.net/

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)

    O4 - HKLM\..\Run: [sdkuf32.exe] C:\WINDOWS\sdkuf32.exe

    O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkyy.exe (file missing)

    3. Delete the files. If there

    C:\WINDOWS\sdkuf32.exe

    C:\WINDOWS\system32\sdkyy.exe

    4. Reboot back into normal mode and post a new Hijackthis log here in a reply.

  18. Hijack Log - Apparent Cws Trojan Infection

    in Malware Removal

    Posted

    1. Make sure your PC is set to show hidden files http://www.xtra.co.nz/help/0,,4155-1916458,00.html Go into safemode go here for instructions. http://service1.symantec.com/SUPPORT/tsgen...001052409420406

    2. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\engcm.dll/sp.html#28129

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\engcm.dll/sp.html#28129

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\engcm.dll/sp.html#28129

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\engcm.dll/sp.html#28129

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\engcm.dll/sp.html#28129

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\engcm.dll/sp.html#28129

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\engcm.dll/sp.html#28129

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {BFD9FA3A-C0CE-30AE-2B7C-0F987054EF24} - C:\WINDOWS\system32\netij.dll

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)

    O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_17_0.dll (file missing)

    O4 - HKLM\..\Run: [sdkuf32.exe] C:\WINDOWS\sdkuf32.exe

    O4 - HKLM\..\Run: [d3mf.exe] C:\WINDOWS\system32\d3mf.exe

    O4 - HKLM\..\RunOnce: [crjk.exe] C:\WINDOWS\system32\crjk.exe

    O4 - HKLM\..\RunOnce: [sysnl.exe] C:\WINDOWS\system32\sysnl.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkyy.exe (file missing)

    3. Delete the files.

    C:\WINDOWS\engcm.dll

    C:\WINDOWS\system32\netij.dll

    C:\WINDOWS\sdkuf32.exe

    C:\WINDOWS\system32\d3mf.exe

    C:\WINDOWS\system32\crjk.exe

    C:\WINDOWS\system32\sysnl.exe

    C:\WINDOWS\system32\sdkyy.exe

    4. Reboot back into normal mode and post a new Hijackthis log here in a reply.

  22. Browser Hijacker

    in Malware Removal

    Posted

    1. Disable Spybots teatimer and SpySweeper.

    2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    3. Reenable Spybots teatimer and SpySweeper and post a new Hijackthis log here in a reply.

  24. Alexx

    in Malware Removal

    Posted

    1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - G:\PROGRA~1\Internet\Schutz\ZEROPO~1\ZERO-P~1.DLL

    2. Reboot and delete the folder.

    G:\Program Files\Internet\Schutz\ZEROPO~1 < Folder starts with ZEROPO

    3. Then post a new Hijackthis log here in a reply.