-
Content Count
742 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by Dan
-
-
Hi,
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.
You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.
Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here
Save all of these files somewhere you will remember like to the Desktop.
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)
Run the CleanUp! installer. You dont need to do anything with it right now.
Update About:Buster
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update" then click the X to close that window.
- Now close About:Buster
Update CWShredder
- Open CWShredder and click I AGREE
- Click Check For Update
- Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please run about:buster by RubbeRDuckY:
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
- Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.
Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.
Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
dk
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
-
Hi,
Please open HijackThis and check the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
Close all windows except HijackThis, and click the "Fix Checked" button.
Reboot and post a new log.
dk
-
BTW: Check out this page: http://www.freebyte.com/graphicprograms/#3D
Try the proggies...I'll tell u guys how i do.
-
Ok..I got another one from terragan...
http://dknoppix.com/Pictures/snowsun.bmp
Not that good, but a start
-
Umm..Are you pressing "Download MP3" cause those are in MP3 format...
-
would it be easyer in another language
-
Is there anywya to make a program in C++, that can save data to a disk (like an ini file), and read information.
Ex.
A wrestling program.
Select option: (1 for edit, 2 for new, 3 for delete) 1
then comes up all of his points for the year.
Is this possible?
dk
-
Hi,
We have a couple of last steps to perform and then you're all set.
First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View tab.
- Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
- CHECK the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Next, let's clean your restore points and set a new one:
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
- SpywareBlaster to help prevent spyware from installing in the first place.
- SpywareGuard to catch and block spyware before it can execute.
- IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:
and a good antivirus (these are also free for personal use):
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.
To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
Have a safe and happy computing day!
dk
- Click Start.
-
Hey arachnid,
Any other cool proggies like this?
-
Hi,
You are currently running HijackThis from your desktop.
Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted.
To make a new folder:
Go to "My Computer", click on C:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or something like that and then please move the HijackThis.exe executable there.
Please run HijackThis and click "Scan." Place checks next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.joyiex.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joyiex.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.joyiex.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.joyiex.com
O4 - HKCU\..\Run: [ctfnom.exe] C:\WINNT\SVOHOST.exe
If you or your administrator did not put this restriction on Control Panel, also check this item. These restrictions can also be set by software like Spybot Search & Destroy, SpywareBlaster or another similar protection software:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all windows except HijackThis, and click the "Fix Checked" button.
Locate the following files, and delete it:
C:\WINNT\SVOHOST.exe
Reboot and post a new log.
dk
-
Hi,
You are currently running HijackThis from a temporary folder.
Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted.
To make a new folder:
Go to "My Computer", click on C:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or something like that and then please move the HijackThis.exe executable there.
Now, open HijackThis, click the 'Scan' button,and check the following items:
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://dcon.futuremark.com/global/msc37.cab
Close all windows except HijackThis, and click the 'Fix Checked' Button.
Locate the following file and delete it:
C:\WINDOWS\system32\taskswitch.exe
Reboot, and post a new log.
dk
-
Thanks
-
Let's see..No covering it in glue, and wooden toothpicks and we can only use large eggs....Any other questions?
Maybe some more ideas?
Vile, do you have AIM?
dk
-
Ok, i uploaded them to my server (Any way to make em a jpg)??:
For the second one, I just used arachnid's lake and edited the colors
dk
-
Cool!
I have till oct. 28th to finish it.
How'd you mix the stuff without mixing it lol?
-
I kinda got the hand of it lol
Here's my first one: ... Or not.....I'll upload it later
-
Mac...
We can ONLY use toothpicks and hot glue..lol
-
139 People + 6 crew trapped on a plane.. The front wheel was stuck 90 degrees to the right....Time to make a touchdown landing....WHAT WOULD YOU DO??
This a very scary event, for the crew as well as the passengers. As the pilot; what do you do? How do I land? What if I survive and everyone else is dead? As the passenger; OMFG /me takes out cell phone, Mom...I'm about to die!!!!!!!!! HOLY S*IT!!!!!!!!
Lets just be thankful that the plane touched down without any problems -- no -- even gracefully, with a messed up wheel.
dk
-
vinager removes the shell, and leaves the membrane lol....
ty for the advice...I'm building a 'prototype' now
dk
-
I would start with coating the egg entirely with the hot glue
I was thinking of that too
I heard some people soaked it in vinager, but I dunno if we're allowed, or if it'll help
-
Hmm....Good idea
I don't think there is a limit to toothpicks...but there is a weight limit -egg.
Which one is the vunerable side? lol
-
Srry. I posted mine before you edited yours! :oops:
Anyway...about yours, should I add a few more toothpicks around it just for more of the hit to go somewhere else?
-
-
we're allowed to use anything...I tried google....nothing really...I got a few links tho
http://www.geocities.com/SouthBeach/1856/egg.html
^^ I can't copy off em....
And a few more..I can't find anything explaining the pysics of it
Been Hijacked-please Help
in Malware Removal
Posted
Hi,
Lets see if you can get into Safe Mode again.
When in there, press Ctrl-Alt-Delete to get into the task manager. Click the processes tab. Find the following process, click it, and select "End Process":
csvun.exe
Now, open Hijackthis, click the scan button, and check the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SHANED~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {6CFE85D3-C654-2F79-FA77-6D16801545BB} - C:\WINNT\system32\Z59JFLk0.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\dkslz.dll
O4 - HKLM\..\Run: [RunDLL] C:\WINNT\system32\rund11.exe
O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe
O4 - HKLM\..\Run: [icasServ] C:\WINNT\system32\icasServ.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [dmehk.exe] C:\WINNT\system32\dmehk.exe
O4 - HKCU\..\Run: [aupd] C:\WINNT\system32\sysvcs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F62805F4-8FB3-45C1-A275-87EBD4C1E533}: NameServer = 85.255.113.123,85.255.112.14
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.84,195.225.176.37
O21 - SSODL: qCmQLSyh - {6CFE85CD-C654-2F67-40F3-5C2A801545B8} - C:\WINNT\system32\mmrd.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_9.dll
Close all windows except HijackThis, and click the Fix Checked button.
Locate the following files and delete them:
C:\WINNT\system32\rund11.exe
C:\WINNT\system32\perfcl.exe
C:\WINNT\system32\icasServ.exe
C:\WINNT\system32\popcorn72.exe
C:\WINNT\system32\dmehk.exe
C:\WINNT\system32\sysvcs.exe
C:\WINNT\system32\mmrd.dll
C:\WINNT\system32\dcom_9.dll
Now, please RIGHT-CLICK HERE to download Silent Runner's.
click NO
[*]You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here in your next post.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
Finally, Run HijackThis and post a new log, as well as your SilentRunners log.
dk