Posts by 'Stein

Moved to Virus/Spyware/Nasties thread :)

Hmm, definitely sounds like spyware to me.

I'm going to move your thread into the Viruses/Spyware/Nasties forum.

In the meantime:

Download HijackThis (current verison is v1.99.1)

or here (Alternate 1, a self-extracting zip file)
or here (Alternate 2, an *.exe file)

Make a new folder to put your HijackThis.exe into.

(Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:

• C:\HijackThis\
• C:\Programs\hijackthis\
• C:\Windows\My Documents\HJT\

but feel free to use any name.)

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. (This is to ensure it makes the necessary backups for recovery if fixes are made) Then, doubleclick HijackThis.exe, and click Scan.

When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that and copy & paste its contents in your reply. Most of what it lists will be harmless or even essential, don't try to fix anything yourself.

Definitely be sure to include this in your reply.

Thanks.

Heh, sorry for being vague.

When I say 'Fix' I mean this:

1) Open HJT
2) Click 'Scan'
3) Place checks next to the lines mentioned
4) Close ALL windows (including this one), and hit 'Fix checked'

And that's fixing with HJT.

Thanks.

Woah, sorry JediSange, no clu how ya slipped by us.

I'm sorry ;)

_________________

If ya can, post a new HJT log and we'll look at that.

Thanks again.

Looks all good to me, except for 2 entries. Fix the following:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs

Now, restart the computer and post a log back here. We wanna be sure they really disappear.

I have seen your messages throughout the forum, and I would like to congratulate you on your dedicated hardwork.

Heh thanks. I guess it makes it that much better that I love my hobby, eh? :)

Lastly, are ya having any more problems?

Thanks.

Alrite, let's try a CCleaner/Ewido combination:

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' tab, and inside this, be sure …

Welcome to Daniweb :)

Sure thing, I'd love to help ya out..except, there's one problem--you're running HJT from a *.tmp folder.

Fix this by:

1) Creating a new folder in Program Files and naming it 'HJT'. Now, drag the HJT icon into this new folder and run a new scan.

Then, fix the following using HJT:

O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/1/sux.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{86804EC2-5387-4692-89CF-E21EFB84EDAD}: NameServer = 72.240.1.205,72.240.1.206
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

Now we're gonna use Killbox:

Copy this advise to a Notepad file. Save it to your desktop. We will use it later.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "delete on reboot" and put a check in the "unregister dll.

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\winm32.dll

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" …

Heh alrite, fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

And that looks to be it.

Are ya having any more problems?

Thanks.

Looks clean to me :)

Any more problems?

Thanks.

-Admin, request transfer to Virus, Spyware, and Nasties forum.

Thanks :)

Welcome to Daniweb:)

To clean things up somewhat, we're gonna run a combination of Ewido and CCleaner:

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing …

Ahh, I see the problem.

You're gonna have to run Killbox 2 times:

1) 1 time for the *.dll s
2) 1 time for the *.html

And, it's gonna restart automatically after ya tell it to kill.

SO, run it for the *.dlls, let it restart. Then, reboot into safe mode again, and run it for the *.html.

Sorry for the confusion.

Thanks.

Well first off, you're running HJT from a *.tmp folder.

Fix this by first creating a new folder in the Program Files, titled 'HJT'. Then, move the HJT icon into this folder and run it from there.

Then, fix the following with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

But other then that, I don't see too much.

Let's run CCleaner/Ewido:

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. …

Awsome.

I see some things in there, but first, let's run Ewido/CCleaner:

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the …

so what is best anti virus?

Generally, an AntiVirus is a program that scans the computer's hard drive for similar behaviors, per say, of viruses and such.

i want a anti virus that can protect my computer much better

Definitely, one of the best AVs currently on the market is AVG.

Also, it's free.

However, the best way to avoid viruses and such is not just a single AV. Rather, it's the combination of several antispyware programs, along with BEING SMART on the internet--no stupid downloads and such.

Also, realize I said several antispyware programs, not AVs. Running multiple AVs can easily result in a computer crash. In other words, don't do it :)

(aka hard to find a DL of it online if you wanna go non legit)

Lastly, please don't cheat the companies that help us in the battle against malware. They're the ones helping us.

If ya have any more questions, post back.

Thanks.

Welcome to Daniweb :)

Roger that, you're infected with a SpyAxe infection.

Let's begin by downloading
SmitfraudFix. Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Next, download the trial version of Ewido.

• Install Ewido.
• When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
• When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
• The program will prompt you to update. Click the Ok button.
• The program will now go to the main screen.

You will need to update Ewido to the latest definition files.

• On the left-hand side of the main screen click the Update Button.
• Click on Start.

The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this linkto manually update Ewido. Make sure to close Ewido before installing the update.

Next, download CCleaner, specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark …

Roger that, that's a clean log :)

Are ya having any more problems?

Thanks.

Hah no problem.

If ya could mark the thread as solved, it'd be great.

Thanks again :)

Woah, COMPLETELY don't see how we missed your thread.

I apolegize ;)

Ok, now for the fix
_____________________

First off, I don't see much that could be casuing the problem, BUT, let's fix some things anyways.

Open HJT and place checks next to the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

Now, close all windows and hit 'Fix Checked'

Ok, now time for Ewido/CCleaner:
_________________________

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the …

Well, that's a clean log...except for one thing.

Ya don't have the latest version of Java, which is sorta important.

Here's the link for downloading the latest version.

Lastly, are ya having any problems?

Thanks.

Well, Ewido didn't kill everything, but alot of it.

Begin by opening HJT and placing checks next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O4 - HKLM\..\Run: [FilmLoop] "C:\Program" -hide
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

Now, we're gonna use killbox:

Copy this advise to a Notepad file. Save it to your desktop. We will use it later.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "delete on reboot" and put a check in the "unregister dll.

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

c:\secure32.html
C:\WINDOWS\system32\winbrume.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll

6) Return to Killbox, go to the …

Hmm, I dunno tho, I've recently experienced it with another really long post in the same forum (I can't recall exactly which one it is tho)

Outta curiosity, ya havn't changed the coding for any of the sites recently, have ya?

Also, I question whether its a FF problem now, cuase after looking, my copy hasn't been updated since May 2nd...

Bah, who knows...at least it works in IE ;)

Thanks.

Hmm, disappointingly, I see nothing definitive in your log that points to the problem.

However, I AM suspicious about a couple:

1)ResChanger 2005 - Do you know what this is/use this program?

2)PhotoShow Deluxe Media Manager - Do ya kno what this is/use the program?

____________

Secondly, we're gonna use Adaware and see if it picks up anything else:

Please do the following: Download, install, update, configure, and run Ad-Aware SE Personal 1.06.

• Download Ad-Aware SE Personal 1.06:
  • Download Ad-Aware SE Personal.
  • Save aawsepersonal.exe to a convenient location (eg. the Desktop).
• Install Ad-Aware SE Personal
  • Double-click on aawsepersonal.exe to install the program.
  • Follow the default settings for installation.
  • After the program has finished installing, uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
• Update Ad-Aware SE Personal
  • Double-click the Ad-Aware SE Personal icon on your Desktop.
  • Click "Check for updates now" then click "Connect".
  • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
• Configure Ad-Aware SE Personal
  • Click on the Gear button at the top of the window.
  • Click "General" on the left hand side to display the General Settings box.
    • Make sure the following items have a green check/tick next to them. If they do not, click once on the circle next to them to put a green checkmark:
      • "Automatically …

As for MSN Plus, I need that MSN sucks without it. Can't I keep it?

Well, it really all depends on whether ya got it along with MSN.

Oftentimes, MessengerPlus3 is a valid sign of bad viruses etc, mostly becase it's often connected to the virus.

However, if ya kno ya got it with MSN, it's alrite to keep.

Thanks.

Ahh, completely missed that.

Good catch crunchie :)

Well, completely reformatting the disc will remove EVERYTHING from it, including legitiate programs and such.

SO, for this reason, we recommend burning a CD/buying and using a memory key to save all the data, documents, etc that ya wanna keep.

The question is..do I just put in the operating cd I got when I got my computer and let it start over?

Well, it's slightly more complicated then that, but generally, that's the idea.

Here's a very good set of instructions for help with it. More or less, you're going to have to print it out, as you won't be able to access internet while reformatting.

_________________

Acknowledgements: Thanks to DKnoppix and Crow for most the images and dgosling for helping get this setup.

This guide shows how to reformat your computer in case of a severe corruption or a severe malware infection where helpers cannot guarantee the security of your computer.

This guide is for reinstalling XP only. Do not use this guide if you are not reinstalling windows XP. Only use this guide if you are reformatting using the XP cd (not using a 'recovery partition' that some computer manufacturers use)

This guide is 'as is'. There are many circumstances which may change the success of your reformat.

Now then, let's get started:
Before you can reformat, you will need to have the following:

Prerequistes:
1. Your windows XP cd.
2. A means …

Hmm alrite. The Ewido scan looks good except for 1 line:

C:\dhhht.exe/userlist.exe -> Backdoor.Iroffer.ac : Error during cleaning

Also, it makes it that much worse that it's a Backdoor infection.

We'll try to kill it at the end.
________________

Copy this advise to a Notepad file. Save it to your desktop. We will use it later.

Begin by uninstalling MyWebSearch.

Alrite, now open HJT and place checks next to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\6.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\6.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe
O4 - HKLM\..\Run: [{47-7A-A8-81-ZN}] C:\windows\system32\rodsregq.exe CORN001
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinpsag.exe CORN001
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [w00454b4.dll] RUNDLL32.EXE w00454b4.dll,I2 000d01f4000454b4
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\6.bin\mwsoemon.exe

Awsome.

Begin by uninstalling the following programs via Add/Remove Programs:

MessengerPlus3
Viewpoint Manager

Now, open HJT and place checks next to the following:

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

Now, delete the following folders:

C:\Program Files\Viewpoint
C:\Program Files\MessengerPlus! 3

Now, restart the computer and post a new log back here.

Lastly, are ya still having problems?

Thanks.

Ok, I see several things.

First, let's fix the LSP.

Download LSP-Fix and run it, fixing what it tells you to.

Next, continue by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every …

Good good, last thing, could we see a HJT log?

Thanks.

Ok, that's very good that CCleaner ran.

it had already expired so now I'd have to buy it.

Er..not exactly. THe only 2 things that expire are Auto updates and a background guard...neither of which is necessary to run.

Just be sure to manually update before a scan.

Ok, I can't find it on my computer at first glance. Did the cleaner remove it?

*looking back up at the log*

Arg ya, I was stupid :mad: I forgot to have ya move it into a permenant folder.

SO, let's dl it again:

http://downloads.malwareremoval.com/hijackthis.zip

Before running, create a new folder inside Program Files, named 'HJT'. Now, move the HJT icon into this newly created folder, and run a new scan from there.

Post the log back here.

Thanks.

Nope, I have a strong feeling that, since its a *.tmp file, its spyware.

SO, after disabeling it, run CCleaner and Ewido again.

Thanks.

Ok, based on what was found in your Ewido log, we are currently in a predictament.

Backdoor.Haxdoor is a rootkit-type virus that has been known to steal bank records from its infected computer.

Because of this, You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for ISP login, email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

and what ever else seems appropriate.

Here's an article on the infection.

There are 2 options to go from here:

1) The complete reformat. This is the only 100% guarenteed way to rid yourself of the infection. This is also my personal recomendatoion.

As said by a fellow IT pro:

Personally...You can always backup files to multiple CD’s, Network or another PC. Yup it's work. Once financial information or an identity is stolen, however, it takes a lot more …

O ya, last thing. Ya might wanna consider switching over to FireFox browser. It's very similar to IE, except, its safer and more secure (and therefore have less spyware and such)

This is because FF is less-integrated into the system.

The link for this is in my sig.

Thanks.

i click on a page on the status bar at the bottom of my screen i can see it go 2 a ad.doubleclick adress and an adjuggler address

Oftentimes, this depends on the sites ya go to.

also the proxy overide thing is stil present in my hijackthis log

Although I fix this sometimes, it's not really necessary--it's about inter-router fixings and such.

Ya can fix it if ya want.

now that i'm clean should i install service pack 2

Roger that :)

Also, be sure to rehide system files:

We need to re hide system files. To do so, please follow the steps below:

1. Double-click My Computer.
2. Click the Tools menu, and then click Folder Options.
3. Click the View tab.
4. Put a check by "Hide file extensions for known file types."
5. Under the "Hidden files" folder, select "Show hidden files and folders."
6. Check "Hide protected operating system files."
7. Click Apply, and then click OK.

Lastly, could ya mark the thread as solved?

Thanks again :)

Awsome. If ya could mark the thread as solved, it'd be great.

Thanks again :)

Sure thing, that's a clean log.

About the 2 AVs, here's a good website about it. I'd recommend reading it.

Lastly, are ya having any problems?

Thanks.

Welcome to Daniweb :)

Ok, first thing I see in the processes are things like this:

C:\DOCUME~1\Elise\LOCALS~1\Temp\Adobelm_Cleanup.0001

In other words, they're running from a *.tmp folder, and generally are bad.

SO, first thing we're gonna do is run CCleaner in safe mode:
________________

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and …

Heh to be sure its all cleared up, let's post back with C:\rapport.txt, the Ewido scan log, and a new HJT log.

Thanks.

Ok, so I go into processes & highlight the one you listed below & press "end process"?

Exactly. But, the ~ in the name means that the computer doesn't know exactly what letter, per say, it is.

SO, with luck, it'll appear in the Processes as
~e5d141.tmp . However, it's more likely that the ~ is some other letter or number.

Examples of possiblities:

te5d141.tmp
le5d141.tmp

And such like that.

Thanks.

The only thing that I could suggest is a bug in the Firefox browser where it's memory limited or such.

Sounds good to me :cheesy:

*Now helping victim with IE*

Thanks for your time Dani.

First off, I forgot to look at this, but I see a problem right off: You're running 2 antiviruses. When this is done, it can cause some major problems.

Currently, you're running both AVG and Norton Antivirus, and ya NEED to uninstall either one. Pesonally, I'd uninstall Norton (I have used both, and consider AVG MUCH better), but thats personal opinion.

Next, you're not up-to-date in your Windows Updates. However, do not run them now. BUT, be sure to run it after you're clean. (I'll try to remind ya after youre clean).

Now, we're gonna run CCleaner. Instructions for this are below:

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your …

That's a clean log.

Are ya still having problems?

Thanks.

Roger that completely. ALSO, the 'reply' part won't load anyways.

Here's one in particular.

Thanks.

Robadia, try mabe uninstalling/reinstalling the program.

Thanks.

Hmm, that sounds like a program problem, not a spyware problem to me, BUT, let's wait for a second opinion...

Thanks.

Hmm alrite, based on the symptoms, ya seem to have a SpyAxe infection. SO, let's run this fix:

Alrite, you're infected with a SpyAxe variant.

Let's begin by downloading
SmitfraudFix. Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer, so it will take some time to run. When done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Post # 2 - Clean

Please print out or copy/paste these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all of the steps in the exact order in which they are listed below. If there's anything that you don't understand, ask before moving on.

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. …

Awsome, welcome to Daniweb.

Well that's a clean log.

It's not spyware that seems to be the problem. Rather, it's a computer issue.

Try downloading and using FireFox, and report back on how the problem is. (the link's in my sig below).

Thanks.

Hmm alrite. Let's try running the same fix without the Ewido.

T- ya, I just realized, windows ME O23 and such don't register with HJT.

Thanks.

Buenísimo, that's a clean log.

Are ya still having problems?

Thanks.