Computer Hope
Software => Computer viruses and spyware => Topic started by: Helpme220 on December 20, 2009, 11:54:38 AM
-
Did what the first post recommended removed all progams ccleaner and such . Ran all logs there attached here . It all started after downloading and update to adobe . removed adobe and all internet browsers i.a. internet explorer, msn , bonjour.installed mozilla firefox . was working fine no hijacks until i tried another adobe program . Computer is running slow opening and closing programs and typing . Hopefully somebody can look at these logs and figure it out . Running xp . Normally run AVG 8,5 . Antispyware , malware , and zonealarm for my firewall .
Thanks
[Saving space, attachment deleted by admin]
-
Hello Helpme220 and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.
Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.
Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.
Exit out of MessengerDisable then delete the two files that were put on the desktop.
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)
O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter hijack: text/html - {2ee8be41-c6be-4dfd-a28b-a5cd7cd24aa4} - C:\WINDOWS\system32\msiebbar.dll
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
Hey SD , thanks for helping me out sorry i didn"t do all this sooner xmas and all . I ran hijack this only saw three things that matched ran fix checked only got rid of two 018 hijack browser is still in there . Downloaded combofix it ran but didnt give me any log . At least it wasn"t saved to my desktop the log that is so . Here is my hijackthis log . Please let me know if I am doing something wrong with the combofix. I used the first link seemed to work . the second link took me to aplace all in spanish . Don't speak it so really i ran out of ideas .
Thanks again
Helpme220
[Saving space, attachment deleted by admin]
-
My fault. I forgot to have you remove the file. Too much eggnog, I suppose.
Open HijackThis and select Do a system scan only
Place a check mark next to the following entries: (if there)
O18 - Filter hijack: text/html - {2ee8be41-c6be-4dfd-a28b-a5cd7cd24aa4} - C:\WINDOWS\system32\msiebbar.dll
Important: Close all open windows except for HijackThis and then click Fix checked.
Once completed, exit HijackThis.
Reconfigure Windows XP to show hidden files::
Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Click Start, Search, select All Files and Folders. Copy and paste
C:\WINDOWS\system32\msiebbar.dll and click search. Delete this file.
You should be able to find the ComboFix log at C:\ComboFix. If you can't find it, please send me another HJT log.
-
Hey sd . Ran hijack this tried to fix checked 018 hijack browser wouldn 't get rid of it. Went in computer wouldnt find the msiebar file . Also only found combofix fil were dat of pf files I couldnt post them forum does not support them . zi reran my hijack and i am attaching it . Does the combo file have to be txt . Also my computer is runing extremely slow.
Thanks again for the help
Helpme220
[Saving space, attachment deleted by admin]
-
Yes, the ComboFix log is a txt log. Did you look in the C: drive under Combofix? If you can't find it, could you please run it again.
-
Hey SD, I keep running the combofix . It will run give me an hour glass then nothing . I searched several times it shows no text file .I disabled my shield protect from avg 8.5 and completly disabled my zonealarm firewall. i am also sunning antispyware and and malware software . Would that effect me getting my combofix text log?Should i just delete all my virus software and reinstall? I went in earlier and did a hijackthis scan and tried to fix checked the 018 browser hijacker . Still wont go away then searched again for the msiebbar file shows it s not there ,. I did another hijack this scan and i am attaching it . Thank you again getting tired of this
Help me 22o
[Saving space, attachment deleted by admin]
-
Would that effect me getting my combofix text log?Should i just delete all my virus software and reinstall?
Not disabling your AV and Firewall should not prevent ComboFix from running. It just affects how it runs. By all means, don't delete your AV until I check with my mentor.
Download DDS from HERE (http://www.techsupportforum.com/sectools/sUBs/dds) or HERE (http://download.bleepingcomputer.com/sUBs/dds.scr) or HERE (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
1) DDS.txt
2) Attach.txt
* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
-
Okay , I tried the first link no page , Second link seemed to work . I downloaded to the desktop. I ran it first time it took five minutes and just would make a dash ,,,,,,,,,,,, . So I went and ran it a gain then the screen would just disappear . ran it again same thing . tried to go to last link to download just said it wouldn't run in dos. So now what ? I do have to say I am amazed by your patience I am ready to smash this thing . Also i am running mozilla fox for my browser , would that have anything to do with all these downloading problems ?Just asking . Here you go sd hope you like a challenge
helpme 220
-
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
Rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
Rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
Rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
Rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
Once you've gotten one of them to run then try to immediately run the following.
Now download and Run exeHelper.
Please download exeHelper from Raktor (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.- Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
-
Hey SD , So i ran the first rkill program . Then the exehelper . I think it worked here is the log
Thanks again
Help me 220
[Saving space, attachment deleted by admin]
-
Try running ComboFix again.
-
Hey . Well it worked here is my combofix log .
[Saving space, attachment deleted by admin]
-
Download GMER Rootkit Detector (http://majorgeeks.com/GMER_d5198.html) and save it your desktop.
* Extract it to your desktop and double-click GMER.exe
* Make sure all of the boxes on the right of the screen are checked, EXCEPT for "Show All".
* Click the Rootkit tab and then Scan.
* Don't check the Show All box while scanning in progress!
* When scanning is finished click Copy.
* This copies the log to clipboard
* Post the log in your reply.
-
Hey sd, was hoping this was gonna be it . Downloaded GMER .exe and ran it . First time I got a blue screen saying windows shut down because damage was going to happen to my computer . They said there was a program called Kwtcypow.sys. that was causing trouble and i needed to restart my computer and see if my harware and software was all installed properly.And is this continued to go into safe mode. So I restarted my computer again and ran it again . this time same blue screen but it was saying it shut down because there was a Bad_Pool_ caller What ever that is ? so I am at your mercy . What is the next step ?
Thank you
Helpme 220
-
Download DeFogger by jpshortstuff (http://www.jpshortstuff.247fixes.com/Defogger.exe) and save it to your desktop.
* Double click DeFogger.exe to run the tool.
* The application window will appear.
* Click the Disable button to disable your CD Emulation drivers
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK.
* DeFogger will now ask to reboot the machine...click OK.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
Now delete the copy of ComboFix you have and download a new copy of ComboFix and run the scan. Post the log it creates.
If you already have ComboFix be sure to delete it and download a new copy.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Hey sd , the link for Defogger by jpshortstuff you sent didn't work . Just would be able to hilight didnt bring me to web site. Can you please send it again .
Thanks
Help me 220
-
You can find the Defogger program here- http://www.jpshortstuff.247fixes.com/Defogger.exe
-
Link fixed. Please see above.
Thanks fullbug.
-
Hey guys . here is the defogger log . For some reason the combofix doesn't want to work cant get a log or anything . I hope this will be helpful.
Thanks to alll
Helpme 220
[Saving space, attachment deleted by admin]
-
Try to run the Gmer RootKit Detector in Reply 13
-
Hey sd tried running gmer exe. got the blue screen saying windows was shutting down to save the computer from damage . It gave me this message Page_Fault_in_NONPAGED Area. What is the nxext step if the gmer.exe wont work?
Thanks
Helpme 220
-
I tried running it myself and got a BSOD. I'm will have to check this out with Evil. Could you run ComboFix again and give me another log?
-
Hey took awhile but here is my new combofix log. Cmbofix wouldn't run so i had a hunch and ran rkill.exe and then combofix would run . Is that normal ?well here it is .
Thank you again for all you work on this .
helpme 220
[Saving space, attachment deleted by admin]
-
That log looks much better. Is your computer working any better? Let's try this scan.
ESET Online Scan
Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)
* Click the ESET Online Scanner button.
* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.
* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.
In your next reply please include the ESET Online Scan Log
-
Hey guys here is my eset log . Computer seems to be running better . no hijacking my browser and it seems to be running faster .Is there anything I need to do to restore my computer back . Or can I run everything theway it is . I remember something about turning cd drivers off and needing to restore later . Its been a long day Hopefully this is the final piece . Also if this is it , what are some of the steps do I need to take to keep my computer running smoothly . Thank you again for all your help and patience
Helpme 220
-
Sorry forgot to attach log . here it is
[Saving space, attachment deleted by admin]
-
That looks good. If there are no other issuse, it's time to do some clean-up. You can uninstall HTJ but you can keep SAS and MBAM. Update them and run them about once per week.
* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter
* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
Uninstall GMER
Click on Start > Run and type in or copy/paste all of the Red text into the Run box.
%windir%\gmer_uninstall.cmd
Click OK to remove GMER.
To re-enable your Emulation drivers, double click DeFogger to run the tool.
* The application window will appear.
* Click the Re-enable button to re-enable your CD Emulation drivers.
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK
* DeFogger will now ask to reboot the machine, click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
Your Emulation drivers are now re-enabled.
Now you can delete DeFogger from your desktop
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smooth.
Safe Surfing!
-
Cool i will run those tomorrow . One question this all started when I ran an update for adobe . I deleted it a while ago should I try to download that to see if it will mess up my computer before Iuninstall all these programs
Just wondering
Thanks again
Helpme 220
-
Adobe is a safe program. It was probably just a coincidence that your problems started at that time. You will probably need Adobe sometime in the future.
-
Hey sd , Computer is running great . the gmer.exe wouldn't uninstall said it couldnt find the file and the defogger would not uninstall I am attaching the log .
Thanks again
Helpme 220
[Saving space, attachment deleted by admin]
-
I'm concerned about DeFogger re-enabling your virtual drives. Did all this happen?
* The application window will appear.
* Click the Re-enable button to re-enable your CD Emulation drivers.
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK
* DeFogger will now ask to reboot the machine, click OK
-
Hey sd , the defogger keeps giving me a an error. I can hit reenable when I click on the yes I get an defogger error and it closes down. What do I need to do?
Thanks
Helpme220
-
Try deleting DeFogger, install it again (Reply # 7) and then re-enable it.(Reply # 27
-
Hey sd , redownloaded defogger had to hit disable first then renable program worked fine. Thank you for all your help my computer is running great and my life is back to normal . Thank you so much . Take care .
Helpme 220