Anyone able to help please?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Orriole, Jun 10, 2006.

  1. Orriole

    Orriole Private E-2

    I have completed all the steps in READ & RUN ME FIRST sticky and got the logs. I was not able to run Windows defender but used CounterSpy instead.

    When in safe mode, a lot of stuff was removed from all of the programs, but when i rebotted in normal mode the problem is still here. The problem is a lot of pop-ups and such that say that they are from Windows security centre, threatening to reboot my computer (which never happens becuase the timer stops), keeps saying my computer is infected etc etc etc and to remove i have to buy one of the 3 anti-spyware programs from the site it aways brings up. (antispywarebox.com)

    Anyway, if anyone has any idea what is going on or how i can get rid of it i'd much appreciate it.

    Thanks
     

    Attached Files:

    Last edited by a moderator: Jun 10, 2006
    Orriole, Jun 10, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You forgot to attach the Bitdefender log requested in step 6 of the READ ME.

    Is the below PUSH650C.exe process related to WinFast ?
    O4 - Global Startup: PUSH650C.lnk = C:\WINDOWS\twain_32\PUSH650C.exe


    Download - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later to run it.

    Run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click OK.

    Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    c:\windows\bg.gif
    c:\windows\BTGrab.dll
    c:\windows\dlmax.dll
    c:\windows\susp.exe
    c:\windows\system32\a.exe
    c:\windows\system32\alxres.dll
    c:\windows\system32\bridge.dll
    c:\windows\system32\dailytoolbar.dll
    c:\windows\system32\runsrv32.exe
    C:\windows\system32\runsrv32.dll
    C:\WINDOWS\system32\susp.exe
    c:\windows\system32\tcpservice2.exe
    c:\windows\system32\txfdb32.dll
    C:\WINDOWS\system32\users32.exe
    C:\WINDOWS\SYSTEM32\winjrs32.dll
    c:\windows\downloaded program files\f3initialsetup1.0.0.8.inf


    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. (You may not see these! If not, just continue.)
    C:\Program Files\outlook\outlook.exe
    C:\WINDOWS\FNTS~1\javaw.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
    O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location='http://sexmaxx.com/freegalleries.htm';}
    O20 - Winlogon Notify: winjrs32 - C:\WINDOWS\SYSTEM32\winjrs32.dll


    Now exit HJT
    Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
    c:\windows\bg.gif
    c:\windows\BTGrab.dll
    c:\windows\dlmax.dll
    c:\windows\susp.exe
    c:\windows\system32\a.exe
    c:\windows\system32\alxres.dll
    c:\windows\system32\bridge.dll
    c:\windows\system32\dailytoolbar.dll
    c:\windows\system32\runsrv32.exe
    C:\windows\system32\runsrv32.dll
    C:\WINDOWS\system32\susp.exe
    c:\windows\system32\tcpservice2.exe
    c:\windows\system32\txfdb32.dll
    C:\WINDOWS\system32\users32.exe
    C:\WINDOWS\SYSTEM32\winjrs32.dll


    Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach a new HJT log.

    Also tell me how things are working!
     
    chaslang, Jun 11, 2006
    #2
  3. Orriole

    Orriole Private E-2

    Hi chaslang,

    Many thanks for your help.

    However, i am unable to run BitDefender on my computer, despite installing the ActiveX control.

    PUSH650C.exe is a program for my scanner.

    I have followed your instructions, but the system tray message still keeps on coming up and the homepage keeps wanting to be changed. I am attaching the new HJT log.

    Thanks again.
     

    Attached Files:

    Orriole, Jun 11, 2006
    #3
  4. Orriole

    Orriole Private E-2

    Heya,

    I've managed to get rid of my spyware.

    Used the new updated verison of smitfraudfix in safe mode to remove. I believe it was an adobepnl.dll file but can't be certain.

    Anyway, thank you for all the help!!
     
    Orriole, Jun 11, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That was going to be my next question! I was going to ask if the below was really something you installed for Adobe:

    O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

    Is that line gone from your HJT log now?

    Also because I did not thing so, there is a fix for this in another one of our sticky procedures: SpywareQuake & SpyFalcon Removal Procedure
     
    Last edited: Jun 12, 2006
    chaslang, Jun 11, 2006
    #5
  6. Orriole

    Orriole Private E-2

    That line has now gone from my HJT log and all seems to be working well.

    Thank you for all of your help chaslang, really appreciated.
     
    Orriole, Jun 12, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Jun 12, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds