Any help would be greatly appreciated

Discussion in 'Malware Help (A Specialist Will Reply)' started by Lain, Jan 3, 2006.

  1. Lain

    Lain Private E-2

    Hello,can someone help me please?My pc has become infected with some spyware,possibly viruses too,I'm not very well informed about these things but I have run through the steps advised here in 'Read and Run First' and also the simplified 'about blank and hsa remover' just now,as I noticed 'about blank' appeared a couple of times in internet options as my home page and now my home page seems to be staying as it should but I have not yet rebooted since as it says at the end of that procedure not to in case remaining viruses mutate.In spybot whenever I run it I am always infected with CoolwwwSearch.My computer is generally running ok but slowly and so far everytime I've turned it on my homepage has been changed to a search engine I don't know plus things are added to my favourites that I don't want there.I am also worried about people getting my personal information when I type it in so am avoiding purchasing anything online at the moment.I will attach the log reports.There are two of hijack this as I took one in safe mode and one in normal.I would be very greatful for any help.Thankyou.
     

    Attached Files:

    Lain, Jan 3, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like you did not run about:Buster or did you? Please attach the log if you ran it.
    If you did not run it then download it and run it twice with a reboot inbetween runs. Make sure you are offline with no browsers opened while running it.
     
    chaslang, Jan 3, 2006
    #2
  3. Lain

    Lain Private E-2

    Oh sorry,I had run it but I mustn't have downloaded it right or something because I couldn't find the log for it.Anway I've done it again and attached the result which looks quite promising.I should add that during the about blank removal when I was to look through the services I found Remote Procedure Call (RPC) Helper I was able to stop it running but when I right clicked I couldn't get into the properties menu up for it to disable it,it kept saying something like it couldn't find it.
     

    Attached Files:

    Lain, Jan 3, 2006
    #3
  4. Lain

    Lain Private E-2

    Maybe I should have mentioned before that I am working on Windows XP Home Edition Service Pack 2 (build 2600) on a dial-up connection,just in case it's relevant,thanks
     
    Lain, Jan 3, 2006
    #4
  5. Lain

    Lain Private E-2

    Any advice you could give on what anti-virus program I should use would be greatfully received.Right now all I have is Windows Firewall and Microsoft Anti Spyware.Also should I disable viewing of hidden files, system files and file extensions again now? and should I disable system restore yet? I greatly appreciate your time and advice on this,thankyou
     
    Lain, Jan 3, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Viewing of hidden files should remain that way. There is no reason to change it back especially while we are still trying to fix your problems. Do not touch System Restore yet.

    You need to goto step 7 of the READ & RUN ME an follow the directions exactly for getting HJT installed properly. And only run one session of it. Also make sure you have booted in normal boot mode. You also need to follow the directions there that tell you not to use msconfig to control startups. You must select Normal Startup. Then continue with the below.

    The second HJT log still showed infected files. I'm surprised about:Buster or HSremove does not find them. Perhaps the files are gone but not the registry keys for them.


    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {41F3D01F-6C89-A15F-70E9-32BE0CB61C71} - C:\WINDOWS\system32\ntyo32.dll (file missing)
    O2 - BHO: Class - {7C061B06-4572-3DED-BEE5-45419ADBBEFC} - C:\WINDOWS\wineu32.dll (file missing)
    O2 - BHO: Class - {9101E79D-A1A7-196F-75D9-D469880131A5} - C:\WINDOWS\nethv32.dll (file missing)
    O2 - BHO: Class - {92C13A2E-9A7F-21D3-5898-A6A429E0CF01} - C:\WINDOWS\iexr32.dll (file missing)
    O2 - BHO: Class - {B32D8461-B24C-D626-990B-16F9A99073D4} - C:\WINDOWS\system32\mfcey.dll (file missing)
    O4 - HKLM\..\Run: [apifr.exe] C:\WINDOWS\apifr.exe
    O4 - HKLM\..\Run: [msdi32.exe] C:\WINDOWS\system32\msdi32.exe
    O4 - HKLM\..\Run: [atlqd.exe] C:\WINDOWS\system32\atlqd.exe

    Unless you absolutely require the below TZ entries for work or something, fix them.
    O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
    O15 - Trusted Zone: http://memberservices.tesco.net

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete the below if found (some or all may already be gone):
    C:\WINDOWS\system32\ntyo32.dll
    C:\WINDOWS\wineu32.dll
    C:\WINDOWS\nethv32.dll
    C:\WINDOWS\iexr32.dll
    C:\WINDOWS\system32\mfcey.dll
    C:\WINDOWS\apifr.exe
    C:\WINDOWS\system32\msdi32.exe
    C:\WINDOWS\system32\atlqd.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Jan 4, 2006
    chaslang, Jan 4, 2006
    #6
  7. Lain

    Lain Private E-2

    Hi and thanks again,I followed all the instructions you left me.Though when I first tried to reboot in normal mode when widows opened again it completely froze and in the end I had to switch off the pc at the wall.When I got back on it seemed ok however and I was able to proceed with all the instructions.I will attach the HJT log now.My home page seems to be staying as it should now and there are no nasty surprises in my favourites.I just scanned with spybot,ad-aware and microsoft anti spyware,spybot found one thing called WildTangent which it removed,ms antispyware found nothing and ad aware found a tracking cookie/data miner but said it was a low risk,apparently it could just be something on a website that keeps track of page veiws or something,which I removed anyway.
     

    Attached Files:

    Lain, Jan 4, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have HJT fix the below WildTangent entry:
    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

    Do you know what the below are?
    O4 - HKLM\..\Run: [PCEyeLic] C:\Program Files\PCEye2000\pceye2000.exe
    O4 - HKLM\..\Run: [AntivirusRegistration] C:\WINDOWS\System32\EzAntivirusRegistrationCheck.exe

    You don't appear to have an antivirus application so I question the above.


    You are still using msconfig:

    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto




    Step 7 of the READ & RUN ME gives you this link:In the above link it states:
    Please follow those directions. And post a new HJT log.
     
    chaslang, Jan 4, 2006
    #8
  9. Lain

    Lain Private E-2

    Hi,I've set Normal Startup in msconfig now,sorry thought I'd already done that.I got rid of WildTangent on HJT and also those other two programs they were on my pc when I got it I think but I have never used them,I didn't need pceye and the other seemed to be a link to a site to buy antivirus software from.One other thing I noticed I have spyfighter in my add/remove programs list,I read that this isn't a good product to use but when I click on it in that list to remove it no option to remove it appears as would normally happen with anything else in the list.I can't find it anywhere else like in programs or anything I actually thought I'd uninstalled it.Anyway here is the last HJT log
     

    Attached Files:

    Lain, Jan 4, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try the below to et SpyFighter removed .

    Run Ccleaner and click on the Tools button. Now you come to a window with Uninstall highlighted. Click on the SpyFighter entry to select it. Then Click the Delete button on the right side.

    Did this work?
     
    chaslang, Jan 4, 2006
    #10
  11. Lain

    Lain Private E-2

    No that didn't work a little box popped up saying cannot delete MSI installer
     
    Lain, Jan 4, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try clicking Uninstall instead. Does that work?
     
    chaslang, Jan 4, 2006
    #12
  13. Lain

    Lain Private E-2

    Yay that worked,cool thanks! do you think I am clear of malware now? there are two things in the remove/change list that I'm not sure what they are one is switch uninstall and the other is wavepad uninstall they may be fine I just never noticed them before.
     
    Lain, Jan 4, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what they are but you must keep track of what gets installed on your PC and if not used they should be removed.

    Is wavepad this: http://www.softpedia.com/get/Multimedia/Audio/Audio-Editors-Recorders/WavePad.shtml

    Look in Start All Programs and see what applications can be run. Sometimes you can find the exact same name as in Add/Remove.
     
    chaslang, Jan 4, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it looks like you are all cleaned up. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jan 4, 2006
    #15
  16. Lain

    Lain Private E-2

    Hi I just found out what they were my brother had installed them they were just trials of programs to do with converting audio files or something,anyway they had expired so I got rid of them.Sorry to waste your time with that.
     
    Lain, Jan 4, 2006
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem! Just complete what I gave you in msg # 15.
     
    chaslang, Jan 4, 2006
    #17
  18. Lain

    Lain Private E-2

    I've been following instructions on how to protect from malware and now have avast running,plus am downloading mozilla firefox but I had a problem with outpost firewall as when I had it running my browser ran so slow I waited for almost fifteen minutes and my homepage still didnt come up it just kept saying waiting for website to reply,the same if I tried to got to any site so I had to uninstall it.I guess I'll try the others.Anyway thankyou soo much for all your help I don't know what I'd have done without you,you guys are doing a great job!If I ever wind up in New Jersey the drinks are on me!
     
    Lain, Jan 4, 2006
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have to allow iexplore.exe access thru the firewall.

    Try ZoneAlarm!. The default setup work pretty well on what it already has allowed access.
     
    chaslang, Jan 4, 2006
    #19
  20. Lain

    Lain Private E-2

    Ok great that's all done now!wow never thought I'd get through it all! again thanks so much! xoxoxoxoxoxox
     
    Lain, Jan 4, 2006
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Surf safely!
     
    chaslang, Jan 5, 2006
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds