jwbirdsong
-
Content Count
262 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by jwbirdsong
-
-
Your HijackThis version is WAYYYY out dated.
Please download HijackThis version 1.99.1 from HERE and make sure to unzip and to it's own, permanent folder. To run HijackThis click Scan and then Save log, Post the new log in a reply to this thread. I would be happy to take a look at it.
-
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
-
It's why were here!
-
Congratulations, your log is clean.
First, let's clean your restore points and set a new one:
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
- 1. Turn off System Restore.
- On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
- On the Desktop, right-click My Computer.
2. Restart your computer.
3. Turn ON System Restore.
- On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.
SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.
More info and download is available at link in my signature
Make SURE to read How Did I Get Infected in the First Place??
- 1. Turn off System Restore.
-
Download Hoster from here: http://www.funkytoad.com/download/hoster.zip
Unzip some where permant
Help with unzipping files is HERE
Run the program
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Run the KASPERSKY ON-LINE one more time and post results along w/ a FINAL HijackThis log
-
You've got a bunch of poeple pulling for you in this race Bubba_Bob
...good luck
-
Log is looking great..
You should manually clear out the quarantine folder here ---> C:\Program Files\Yahoo!\YPSR\Quarantine\
Couple of quick questions though.
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
The above indicates you have 5 duplicate lines in your hosts file..did YOU put them there...FWIW that is the correct IP for MS so the enries are OK I just wonder why there are 5.
Other thing that may be of concern is
O17 - HKLM\System\CCS\Services\Tcpip\..\{3243101D-0D98-40D0-83A9-D55D18F3BFB9}: NameServer = 202.188.0.133,202.188.1.5
Seems to be a DNS server in Maylasia..are you there also??
If you aer unfamaliar with your hosts file it is located in C:>WINNT>SYSTEM32>DRIVERS>ETC .
A GREAT Hosts file reader/editor/manager is available from HERE
Great info on hosts available at BleepingComputer
-
Looking really good!!
First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix
Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked
Please run HijackThis and click "Scan." Place checks next to the following entries:
- O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpD5DE.tmp (file missing)
- O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
You may also optionally check the following entries for removal:
All of the following are UN-needed to run at startup. They can be ran as needed; saving system resources for better uses.
- O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
- O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
- O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
- O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
- O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
- O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Close all browser and other windows except for HijackThis, and click "Fix Checked".
Restart your computer and try the Online scan HERE instead...Click on the Online scan button NOT the File scanner..agree to privacy statment and accept the Active X download..Once scan is complete save a log and post a new HijackThis and the Online scan results
ADDED..Also update your Java..go to Control Panel>click on the Java applet>Click Update tab and then Update button...Once the new version is installed and rebooted..Open ADD/Remove in Control Panel and uninstall ALL Java that is NOT version JRE 5 update 6
- O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpD5DE.tmp (file missing)
-
Also when you go to post your replies and have Notepad open..click Format>click wordwrap once to toggle the setting.
-
First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix
Please temporarily disable MSAS by doing the following:
It may interfere with the fix.
- Open Microsoft AntiSpyware.
- Click on Options -> Settings.
- In the left pane, click on Real-time Protection.
- Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
- After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
- Restart your computer.
- Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware
Make sure the settings are changed back when we are done.
Download smitRem.exe ©noahdfear and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
You may have previously ran some of the following programs, please run through the fix and run all programs listed, in order, and make sure to update all
Please download Ewido Anti-Malware, it is a free version of the program.
- Install ewido security suite
- When installing the program, under "Additonal Options" uncheck...
- Install background guard
- Install scan via context menu
[*] Launch ewido, there should now be an icon on your desktop, double-click it.
[*] The program will now open to the main screen.
[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*] You will need to update ewido to the latest definition files:
- On the left hand side of the main screen click update.
- Then click on Start Update.
[*] The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
[*] Close Ewido Security Suite
- Install background guard
If you are having problems with the updater, you can use this link to manually update ewido.
Next, please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to the following items
- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <<--- Leave IF set by you.
- O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://www.35mb.com/downloadapplet.cab
Close all other windows and browsers and click FIX CHECKED
Close HiJackThis.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Run Ewido:
- Click on scanner
- Click on Complete System Scan, the scan will now begin.
- While the scan is in progress you will be prompted to clean files, click OK.
- When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
- Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
- Click Save Report.
- Now save the report .txt file to your desktop.
- Close Ewido
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Reboot back into Windows and scan your system with Ad-aware:
Ad-aware SE - Download - Home Page
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
Once the definitions have been updated:
Reconfigure Ad-Aware for Full Scan as per the following instructions:
- Launch the program, and click on the Gear at the top of the start screen.
- Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
- "Automatically save logfile"
- Automatically quarantine objects prior to removal"
- Safe Mode (always request confirmation)
- Prompt to update outdated confirmation) - Change to 7 days.
[*]Click the "Scanning" button (On the left side).
[*]Under Drives & Folders, select "Scan within Archives"
[*]Click "Click here to select Drives + folders" and select your installed hard drives.
[*]Under Memory & Registry, select all options.
[*]Click the "Advanced" button (On the left hand side).
[*]Under "Shell Integration", select "Move deleted files to Recycle Bin".
[*]Under "Log-file detail", select all options.
[*]Click on the "Defaults" button on the left.
[*]Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
[*]Click the "Tweak" button (Again, on the left hand side).
[*]Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
- "Unload recognized processes during scanning."
- "Obtain command line of scanned processes"
- "Scan registry for all users instead of current user only"
[*]Under "Cleaning Engine", select the following:
- "Automatically try to unregister objects prior to deletion."
- "During removal, unload explorer and IE if necessary"
- "Let Windows remove files in use at next reboot."
- "Delete quarantined objects after restoring"
[*]Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
[*]Click on "Proceed" to save these Preferences.
[*]Click on the "Scan Now" button on the left.
[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
- "Automatically save logfile"
Close all programs except ad-aware.
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
Then run this online virus scan: ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company - Click the big Scan Now button
- If/when you get a notice that Panda wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
Post the contents
- of the Panda scan report
- a new HijackThis Log
- smitfiles.txt
- Ewido Log
in a reply to this thread.
- Open Microsoft AntiSpyware.
-
Congratulations, your log is clean.
First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
- * Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
- 1. Turn off System Restore.
- On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
- On the Desktop, right-click My Computer.
2. Restart your computer.
3. Turn ON System Restore.
- On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.
SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.
More info and download is available at link in my signature
Make SURE to read and follow the advise in How Did I Get Infected in the First Place??
- * Click Start.
-
Log look great except still a couple of services to kill.. Follow the procedure from the 1st post and stop then kill the following services.
cvcworking setting (cvcWork)
Windows Logon (winlog)
Is the name to look for in the list and stop (1st part of fix)
Then use
cvcWork
winlog
as the name for HijackThis part
spend a few hour browsing the web and come back let me know...If all is well I'll have some advise on how to stay clean.
-
Well just off the top I'd say you have a bad keyboard...you DO have some nasty Trojans/Spys so let's get you cleaned up, shall we?
First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix
Click HERE to download Atri's ATF Cleaner (Atri'sTempFile)..Download to your desktop
More info on this tool HERE
Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked
Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:
MsLX32
MsHS64
ILT
When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.(You need to follow these steps for each service; one at a time)
Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):(You need to follow these steps for each service one; at a time)
MsLX32
MsHS64
ILT
Click OK.
It should pull up information about the service, then ask if you want to reboot. Click YES.
Please run HijackThis and click "Scan." Place checks next to the following entries:
- O4 - HKLM\..\Run: [04ug00pk.dll] RUNDLL32.EXE 04ug00pk.dll,b 246724
- O4 - HKLM\..\RunServices: [AdobeReaderPro] syachost.exe
- O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
You may also optionally check the following entries for removal:
All of the following are UN-needed to run at startup. They can be ran as needed; saving system resources for better uses.
- O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
- O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
- O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
Close all browser and other windows except for HijackThis, and click "Fix Checked".
Next, please reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
Close ALL browsers and then run the ATFCleaner>click Main Select All>Click Empty Selected>OK>Close it
Also, delete the following files (if they exist):
C:\WINDOWS\MsHS64.exe
C:\WINDOWS\MsLX32.exe
C:\WINDOWS\ilt.exe
C:\WINDOWS\winlog.exe
C:\WINDOWS\System32\04ug00pk.dll
C:\WINDOWS\syachost.exe
C:\WINDOWS\System32\syachost.exe
Restart your computer and run this online virus scan: ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company - Click the big Scan Now button
- If/when you get a notice that Panda wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
Reboot and rerun HijackThis. Please post a new HijackThis log and a log from Randa in a reply to this thread.
- O4 - HKLM\..\Run: [04ug00pk.dll] RUNDLL32.EXE 04ug00pk.dll,b 246724
-
First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix.
First off please put HijackThis in it's own, permanent folder. It's needed for backups.
Help with unzipping files is HERE
Download AboutBuster 6.0:
http://www.besttechie.net/tools/AboutBuster.zip
http://www.malwarebytes.org/AboutBuster.zip
Once downloaded, unzip it, and put the folder on your desktop
Don't run it yet, well do it later in safe mode.
You may have previously ran some of the following programs, please run through the fix and run all programs listed, in order, and make sure to update all
Please download Ewido Security Suite, it is a free version of the program.
- Install ewido security suite
- When installing the program, under "Additonal Options" uncheck...
- Install background guard
- Install scan via context menu
[*] Launch ewido, there should now be an icon on your desktop, double-click it.
[*] The program will now open to the main screen.
[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*] You will need to update ewido to the latest definition files:
- On the left hand side of the main screen click update.
- Then click on Start Update.
[*] The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
[*] Close Ewido Security Suite
- Install background guard
If you are having problems with the updater, you can use this link to manually update ewido.
Next, please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to the following items
[R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qwdly.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {12560FD0-2D24-CE5F-05C1-805E95B9124E} - C:\WINDOWS\system32\addom.dll
O2 - BHO: Class - {2F9B49D5-798A-2D7C-7B1B-AC149C906ABC} - C:\WINDOWS\system32\addom.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exe
O4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe
O4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe
O4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe
O4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe
O4 - HKLM\..\Run: [mfcod32.exe] C:\WINDOWS\mfcod32.exe
O4 - HKLM\..\Run: [bB.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe
O4 - HKLM\..\Run: [bC.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe
O4 - HKLM\..\Run: [bB.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BB.tmp.exe
O4 - HKLM\..\Run: [bC.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\BC.tmp.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
Close all other windows and browsers and click FIX CHECKED
Close HiJackThis.
Open the folder where you put AboutBuster. Double click on the AboutBuster icon>Click Begin Removal
> Click YES> when it's done running click OK to close it.
Run Ewido:
- Click on scanner
- Click on Complete System Scan, the scan will now begin.
- While the scan is in progress you will be prompted to clean files, click OK.
- When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
- Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
- Click Save Report.
- Now save the report .txt file to your desktop.
- Close Ewido Security Suite
Reboot back into Windows and scan your system with Ad-aware:
Ad-aware SE - Download - Home Page
If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
Once the definitions have been updated:
Reconfigure Ad-Aware for Full Scan as per the following instructions:
- Launch the program, and click on the Gear at the top of the start screen.
- Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
- "Automatically save logfile"
- Automatically quarantine objects prior to removal"
- Safe Mode (always request confirmation)
- Prompt to update outdated confirmation) - Change to 7 days.
[*]Click the "Scanning" button (On the left side).
[*]Under Drives & Folders, select "Scan within Archives"
[*]Click "Click here to select Drives + folders" and select your installed hard drives.
[*]Under Memory & Registry, select all options.
[*]Click the "Advanced" button (On the left hand side).
[*]Under "Shell Integration", select "Move deleted files to Recycle Bin".
[*]Under "Log-file detail", select all options.
[*]Click on the "Defaults" button on the left.
[*]Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
[*]Click the "Tweak" button (Again, on the left hand side).
[*]Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
- "Unload recognized processes during scanning."
- "Obtain command line of scanned processes"
- "Scan registry for all users instead of current user only"
[*]Under "Cleaning Engine", select the following:
- "Automatically try to unregister objects prior to deletion."
- "During removal, unload explorer and IE if necessary"
- "Let Windows remove files in use at next reboot."
- "Delete quarantined objects after restoring"
[*]Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
[*]Click on "Proceed" to save these Preferences.
[*]Click on the "Scan Now" button on the left.
[*]Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
- "Automatically save logfile"
Close all programs except ad-aware.
Click on "Next" in the bottom right corner to start the scan.
Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
Then run this online virus scan: ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company - Click the big Scan Now button
- If/when you get a notice that Panda wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
Post the contents
- of the Panda scan report
- a new HijackThis Log
- Log from AboutBuster
- Ewido Log
in a reply to this thread.
- Install ewido security suite
-
I'm starting to get mystified.....Please download Bobbi Flekman Registry Search from THIS page. Run it and paste
into the TOP section. Leave all other boxes checked (default) click OK..post resulting log...WucihAlso Boot to Safemode and use same tool to search for
. NOTE the last search MUST be done in safe mode.adchannel -
Well the only thing that catches MY eye is
and that's just because it's not very common. Do you use the Xerox Document Workcentre XE8x series??O4 - HKLM\..\Run: [WCXELMS] WCXELMS.exePlease click and download Silent Runners.
- * Save it to the desktop.
*Double clicking the "Silent Runners" icon on your desktop to run it .
*Now you will see a text file appear on the desktop - it is NOT done yet, so let it run (it won't appear to be doing anything!)
* After you receive the "All Done!" prompt, double-click on the new text file on the desktop and copy/ paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
- * Save it to the desktop.
-
After I went away and realised we were talking about FF...tg1911 has probably hit on it..you need the flash plugin in your plung in folder.
Get it HERE make sure to get the FLASH player.
-
Check you setting in IE>Tools>Internet Options>Security(tab)> Internet(Globe).
Too high of a setting will stop it from showing.... It's a flash page..Default setting at internet will let you see it but make sure to go back to a higher setting afterward to remain secure on the web.
Disregard...I read your question the other way around...NOT seeing in IE......Well same principal should appy...
I can see it fine in both too Matt
Pleeezzzzz Help Me.[INACTIVE]
in Malware Removal
Posted · Edited by jwbirdsong
You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Help with unzipping files is HERE
First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it on your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish. After the fix begins just follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
After your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please run it by clicking Scan Only,
and check the following items:
Click Fix Checked. Close HijackThis, and click OK to proceed.
Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Run the program, accept statement>next>click> scan>next.
If any items are detected have blacklite rename them except for "wbemtest.exe".
Do not rename "wbemtest.exe" its a windows file. If there are any other files you THINK may be valid don't rename them. Help is available HERE
The tool will ask if you want to reboot (restart) choose yes.
Finally, please post
Note: IF you are having connection problems follow the directions below
(These instruction's are basically for home users.)
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available one some systems