Problem runningTrend Micro & Symantec Security Alert

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by haitisarah, Mar 1, 2005.

  1. haitisarah

    haitisarah Private E-2

    I'm working through "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal." Step one instructs me to do an online scan at Trend Micro and Symantec. However, when I try to run the scan, it is instantly blocked and closed. I have a popup blocker on my Yahoo toolbar, but I have disabled that. Is there something else I need to disable to run these scans? I also have Ad-aware's Adwatch and Norton Systemworks running.
     
    haitisarah, Mar 1, 2005
    #1
  2. haitisarah

    haitisarah Private E-2

    Accessing internet in safe mode

    In trying to run scans in safe mode, I cannot access the internet. I have gone to msconfig to boot in safe mode and checked network. I have gone to startup and checked the boxes for my Starband internet system. However, I still cannot get IE to connect while in safe mode. Any suggestions?
     
    haitisarah, Mar 1, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you running IE when doing the scans and are you able to connect in safe mode?

    If you ran IE and still have problems, it could be malware at play. Continue with the rest of the steps and if you still have problems after completing them, follow the steps below.


    Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT. All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


    Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Mar 1, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Accessing internet in safe mode

    Please stay in one thread for your problems. If you cannot run the online scans in safe mode the READ ME tells you to run them in normal boot mode.

    I merged you back into one thread. See my message below.
     
    chaslang, Mar 1, 2005
    #4
  5. haitisarah

    haitisarah Private E-2

    Hijack This log attached and symptom details

    I have done everything specified in "READ ME FIRST..." except Trend Micro, which continues to be blocked for me (I am using IE to try to run this). I was able to get the Symantec Security Check to run and it was fine.

    I am still getting my Ad-watch warning that randreco.exe is in my active memory. I can do a search to its location and delete it, but it comes back. My system is still occasionally bogged down by random files running the system up to 100% in the CPUs.

    Can someone look at my log file and let me know what I'm missing?
     
    haitisarah, Mar 2, 2005
    #5
  6. PhilliePhan

    PhilliePhan Guest

    Re: Hijack This log attached and symptom details

    Please attach your log as per Chaslang's instructions in post #3 and somebody will have a look as soon as they can.

    PP :)
     
    PhilliePhan, Mar 2, 2005
    #6
  7. haitisarah

    haitisarah Private E-2

    Here is my Hijack This log

    As per instructions, I have completed all steps possible and am trying to attach the log file.
     

    Attached Files:

    Last edited: Mar 3, 2005
    haitisarah, Mar 3, 2005
    #7
  8. haitisarah

    haitisarah Private E-2

    More specifics about problems still persisting

    As instructed, my HJT log is posted below.

    To be more specific, since I have run all the scans and fixes in "Do This First" and cleaned everything up as best I can, I am still getting these picked up by my Norton Antivirus as extras and my Ad-aware:
    Adware.Begin2search​
    Adware.EliteBar​
    VX2​
    I follow procedures to get rid of them, but they keep coming back.

    My system also gets bogged down. When I go to Windows Task Manager and look at processes, random processes (not listed on Applications) are running the CPU usage up to 100%. lsass.exe, SVCHOST.EXE, explorer.exe and msmsgs.exe are often shooting up and dropping down. I may just be paranoid by this point, but they seem to drop down if I'm watching!
     
    haitisarah, Mar 3, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: More specifics about problems still persisting

    Is this ProxyServer setting required for your ISP or some software you use?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877


    You should not always be using msconfig to control what programs load at startup. Run msconfig and select Normal Startup so we can see eveything that would normally load (to make sure no other bad stuff is hiding). If you need to control startups, get a true startup manager program like StartCPL.
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


    Click Start, and then click Run and type: regsvr32 /u C:\WINDOWS\dlmax.dll
    and press enter. Repeat the process for the four files listed below:

    C:\Program Files\cmw1axvm
    C:\WINDOWS\System32\rvkni.dll
    C:\WINDOWS\System32\iybet.dll
    C:\Documents and Settings\All Users\Application Data\msw\MSW.dll

    If you get any error messages, don't worry about them. Just OK out of them and continue.

    Make sure you have system restore disabled and viewing of hidden files enabled.
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
    O2 - BHO: (no name) - {13BFB88C-0CC8-4932-83A3-433DE27541BA} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: SDWin32 Class - {235A42CF-42BE-43DF-AF44-253428DBE003} - C:\WINDOWS\System32\rvkni.dll
    O2 - BHO: SDWin32 Class - {23FEA28D-1F13-4A2A-BB3C-897CD3E0AB37} - C:\WINDOWS\System32\iybet.dll
    O2 - BHO: (no name) - {341A518C-FB6A-4A2E-BC03-800D43C88625} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {44F55EFB-3025-43BC-A70E-1B0908953DD3} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: MSW.cIExplorer - {4B57B77A-B130-4EB8-8CFB-42B880F6D311} - C:\Documents and Settings\All Users\Application Data\msw\MSW.dll
    O2 - BHO: (no name) - {634B555A-4DAA-4B5B-A70D-66FBD6BAC442} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {6C41B746-313D-4E37-936D-4168F758133C} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {7CC5850D-7D45-4DF3-85D6-178A72461D1B} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {841F2E85-0496-4F32-B7AC-2FE4C3305E4E} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {90F59E28-F076-4E9C-A4FF-9113FF66C656} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {AAC54D2E-CBF6-427F-B20C-AB75DF4B35B2} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {ABEA8A65-738E-49D0-9135-3FCCAFC86469} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {C33AFBD2-FF0E-4E42-99BA-9AAFC65E2B67} - C:\Program Files\cmw1axvm\cmw1axvm.dll
    O2 - BHO: (no name) - {CD0D4A91-C96C-494D-8113-1CD7D0BBEFDE} - C:\Program Files\cmw1axvm\cmw1axvm.dll


    Do you know what this next line is for? If not, fix it too.
    O16 - DPF: {5EFF8B09-B211-42B7-805E-C4670BF8C830} - http://mediaplayer.walmart.com/installer/install.cab

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\dlmax.dll
    C:\Program Files\cmw1axvm <--- the whole folder
    C:\WINDOWS\System32\rvkni.dll
    C:\WINDOWS\System32\iybet.dll
    C:\Documents and Settings\All Users\Application Data\msw <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Let me know if you have any problems finding or deleting any of these files.

    Now:
    Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin
    And Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Mar 3, 2005
    #9
  10. haitisarah

    haitisarah Private E-2

    A couple of issues came up

    I followed directions and my new HJT log file is attached.

    Two odd things:
    1) I have tried about 6 times to get things to start in Normal Startup, but I still get the message that I am in Selective Startup. I've gone to Run, Msconfig, then checked Normal Startup, then apply, then okay. Originally, a few days ago, I did this to avoid loading the Elite Toolbar that kept loading at startup. It's gone now, but I can't seem to get things back to normal start up.

    2)I have tried twice to delete R0 - Hklm\software\Microsoft\Internet Explorer\Search, CustomizeSearch =. However, it is still there when I check again. The rest of the fixed items stayed gone.

    I'm not sure about the proxy server question. We do have our internet service through Starband and a satellite dish. I'm not sure how to check on this.
     

    Attached Files:

    haitisarah, Mar 3, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: A couple of issues came up

    You are probably having problems change msconfig to Normal Startup and also removing the R0 entry due to the below lines in your HJT log:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    There restrictions are more than like put in place with either Ad-Aware's Adwatch or Spybot S&D, SpywareBlaster, or similiar. You need to disable Adwatch or Spybot or whatever else you have locking those settings. Then you will be able to boot Normal Startup and remove the R0 line.
     
    chaslang, Mar 3, 2005
    #11
  12. haitisarah

    haitisarah Private E-2

    Yippee! All looks good and runs well this morning.

    Everything looks clean, I was able to start up normally, and no bad things were picked up by Norton or Ad-aware. I'm holding my breath, but hopeful.

    Thank you so much!! I've learned so much and am so grateful to be rescued out of what seemed to be a hopeless situation. I will never try to look up song lyrics to "Lucy in the Sky with Diamonds" again! (I think that's what detonated all this mess).
     
    haitisarah, Mar 4, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Yippee! All looks good and runs well this morning.

    Your welcome! Make sure you have performed the equivalent of all the steps in the below thread to help avoid future problems.

    How to Protect yourself from malware!
     
    chaslang, Mar 4, 2005
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds