Ready for help now

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by petrab, Jun 30, 2006.

  1. petrab

    petrab Private E-2

    Did something stupid last night, clicked on a bat file when I wasn't really paying attention. I saw it execute something, but it went too fast to read.

    Next thing I know my safety center was warning my that my symantec real time protection was disabled. I tried to find the bat file but it must have deleted itself?

    The first time I ran Bitdefender online, it found malware. Unfortunately, I didn't abide by the rules so the report is too large to attach. Strangely enough, the second time I ran it, it did not find any malware.

    I have attached the Panda scan report. They found malware both times.
    Last but not least, I have attached the hijackthis report.

    I cannot seem to get rid of the last of the sh*t on my computer. In the mean time, my Norton Corporate Edition 8.1 is still not running and providing real time protection.

    Please help? Thanks!!
    Petra
     

    Attached Files:

    petrab, Jun 30, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs do not show any real major problems. There are just a few left over undefined regisrty keys and a few files to remove from Blazefind. I'll give you something to try so we can make sure all of it is gone.

    Copy the bold text below to notepad. Save it as fixBlaze.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (you may not find most or any of these):
    C:\Documents and Settings\Petra Bangs\Favorites\shopping\Walmart.url
    C:\Progran Files\WindowsSA <--- the whole folder
    C:\WINDOWS\System32\car.ico
    C:\WINDOWS\System32\casino.ico
    C:\WINDOWS\System32\creditcard.bmp
    C:\WINDOWS\System32\Go.ico
    C:\WINDOWS\System32\omniprivacy.khtml
    C:\WINDOWS\System32\2_0_1browserhelper2.dll
    C:\WINDOWS\System32\3_0_1browserhelper3.dll
    C:\WINDOWS\System32\5_0_1browserhelper5.dll
    C:\WINDOWS\System32\iesearchbar.dll
    C:\WINDOWS\System32\UnstSA2.exe
    C:\WINDOWS\System32\UnstSA5.exe
    C:\WINDOWS\System32\key2.txt
    C:\WINDOWS\System32\key5.txt
    C:\WINDOWS\2_0_1browserhelper2.dll
    C:\WINDOWS\3_0_1browserhelper3.dll
    C:\WINDOWS\5_0_1browserhelper5.dll
    C:\WINDOWS\iesearchbar.dll
    C:\WINDOWS\installer2.exe
    C:\WINDOWS\installer5.exe
    C:\WINDOWS\omniscient.exe
    C:\WINDOWS\Omniscienthook.dll
    C:\WINDOWS\omniband.dll
    C:\WINDOWS\wsaupdater.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now. If you are still having problems, please explain them.
     
    chaslang, Jun 30, 2006
    #2
  3. petrab

    petrab Private E-2

    Chaslang,
    I've followed your instructions today, please see attached hjt log.
    Yesterday, I was able to restore my norton antivirus program, so my realtime protection is back online again, a big worry less.
    My computer seems itself again. The NAV scan and Panda are still running, but I'm confident they will come up empty after all this work!
    Thank you so much for your help.
    Petra
     

    Attached Files:

    petrab, Jul 1, 2006
    #3
  4. petrab

    petrab Private E-2

    See attached pandascan, unfortunately it still finds iesearchbar?
    Do I understand correctly that eicar is a virus-test file used by pestpatrol and can be left alone?
    Thanks,
    Petra
     

    Attached Files:

    petrab, Jul 1, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that is just a test file. Also don't worry about the iesearchbar detection. Panda gives no helpful information on what it is finding in the regisrty so there is nothing we can do about it (other than what I already tried when I gave you a patch for BlazeFind. But BlazeFind and IEsearchbar are the samething). Panda does this quite often and when it does not give any info, it is typically an inactive registry key that you don't need to worry about.

    If you are not having any other malware problems, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jul 2, 2006
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds