Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware, still on my comp? [CLOSED]


  • This topic is locked This topic is locked

#61
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Alright, see you in a bit



Justin
  • 0

Advertisements


#62
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
First update your AVG. Then boot into safe mode and do a full system scan.

reboot into normal mode

You have a number of randomonly named files on your system.
We like to start with an online virus and trojan scan. Even though you may have antivirus software on your system, it can become corrupted by malware.


Please run a free online virus scan at one of these two sites:

ActiveScan
Kaspersky
Save log and post in next reply


And a free trojan scan at one of hese two sites:
Trojan Scan
Trojan Scan2
  • 0

#63
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Heh, I would go online and do a scan, But its not connected to the internet. I have 3 computers. The one im typing on right now, The one we just fixed, and then the one we are about to work on. So i cant do online scans, Sorry man


Justin
  • 0

#64
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Another wierd thing is that when I run AVG, It closes out in the middle of the scan. Its like a virus is stopping it from scanning. Im running a program called Registry Mechanic and its fuond over 1,000 files that have problems on them. So maybe after i get this done, ill run AVG again and maybe it wont close out from the virus's. Ill keep updating to keep you posted :tazz:



Justin
  • 0

#65
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Still closes out of the program. Something is keeping it from fully running the scan. It did that to spysweeper also. Now what do I do. . .


Justin
  • 0

#66
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
So you finished none of the programs?


Tom
  • 0

#67
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Absolutely none of them. Except for registry mechanic, it got rid of 1325 files. But the other programs wont work.




Justin
  • 0

#68
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

DOWNLOAD PROGRAMS


Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Download CWShredder here to its own folder.

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
We will be using this program later.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

5. Close all browsers, windows and unneeded programs.

6. Open HiJack and do a scan.

7. Put a Check next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\5.BIN\MWSSRCAS.DLL
F1 - win.ini: run=C:\WINDOWS\SYSTEM\mouse_configurator.win
O2 - BHO: PopBlock Class - {A25A30C9-6D9A-46D0-A92C-05ABD82A83AE} - C:\PROGRAM FILES\ADBLOCKER\PopupBlocker.dll
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [SystemTasks] C:\filez.exe
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel32.win
O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\SYSTEM\Israfel.vbs
O4 - HKLM\..\RunServices: [d2maphack] C:\WINDOWS\SYSTEM\d2maphack.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm414XXUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.exe


8. click the Fix Checked box

9. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

MYWEBSEARCH
ADBLOCKER


10. Please remove the following folders using Windows Explorer (if present):

C:\PROGRAM FILES\ADBLOCKER
C:\PROGRAM FILES\MYWEBSEARCH


11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\filez.exe
C:\WINDOWS\SYSTEM\Kernel32.win
C:\WINDOWS\SYSTEM\Israfel.vbs
C:\WINDOWS\SYSTEM\d2maphack.exe
C:\WINDOWS\SYSTEM\mouse_configurator.win


12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please go here and upload

C:\Windows\System\folder.htt

then please post the results in your next reply.

15. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.

Edited by Excal, 16 July 2005 - 10:11 AM.

  • 0

#69
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I dont have internet on this computer, like the post i posted before, we have only 1 comp online right now. But ill do everything else.




Justin
  • 0

#70
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
You need to download those 2 programs on the internet computer and transfer to this one.


:tazz:


Tom
  • 0

Advertisements


#71
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I was talking about activescan





Justin
  • 0

#72
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
The C:\Windows\System\folder.htt status is ok. Heres a fresh hijack scan:

Logfile of HijackThis v1.99.1
Scan saved at 1:21:04 PM, on 7/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\PSSVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\REGSRV.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\WSCRIPT.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=C:\WINDOWS\SYSTEM\mouse_configurator.win
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_11_0.DLL
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\PROGRAM FILES\SLINGSHOT\ties\dlIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_11_0.DLL
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D7F7-EC7EA385FA7D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [winupdates] \winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [tcactive] C:\PROGRAM FILES\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\PROGRAM FILES\THE CLEANER\tcm.exe
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel32.win
O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\SYSTEM\Israfel.vbs
O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Dell Home - {9C31CA00-6082-11D3-8607-00C04FCFBDA1} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
  • 0

#73
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Spysweeper

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it click >Options over to the left then >Program Options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".



THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

F1 - win.ini: run=C:\WINDOWS\SYSTEM\mouse_configurator.win
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D7F7-EC7EA385FA7D} - (no file)
O4 - HKLM\..\Run: [winupdates] \winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel32.win
O4 - HKLM\..\Run: [Israfel] C:\WINDOWS\SYSTEM\Israfel.vbs
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


7. click the Fix Checked box

8. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\SYSTEM\mouse_configurator.win
C:\WINDOWS\SYSTEM\Kernel32.win
C:\WINDOWS\SYSTEM\Israfel.vbs


9. Please post a fresh HiJackThis log. Let me know how your computer is running.

So this can't be hooked to the Internet at all?


Thanks,

:tazz:

Excal
  • 0

#74
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I can try to get it hooked up, but no promises. . .


Justin
  • 0

#75
Jajo

Jajo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
ok, im on it. And, wow, there is a lot wrong with this. So slow, different color screen. The screen resolution was off. . .So ill do the online scan and post it on here for you



Justin
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP