Help - Infected computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by chaz wheeler, Jan 4, 2006.

  1. chaz wheeler

    chaz wheeler Private E-2

    please excuse my ignorance if I forgot anything, but here is where I am at.

    computer infected with IE toolbar, IE hijacker, etc...basicly screwed. Followed the cleaning text described here (http://forums.majorgeeks.com/showthread.php?t=31668)

    Microsoft spyware protection found many files, and deleted. but I have since returned to normal mode, and still have several problems..specificly that I see the IE browser is still being hijacked after google searches, there is an html background on the desktop and I cannot access any web based email pages (gmail just will not show up)

    Anyway, attached is my hijackthis log file...hopefully someone can help

    chaz
     

    Attached Files:

    chaz wheeler, Jan 4, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to MG's.

    You should not be disabling SYstem Restore yet. And you need to follow ALL steps in the READ & RUN ME. You did not follow the directions in step 6 and you did not follow the directions in step 7 either. HJT should not be running from a Desktop folder and msconfig should not be running to control startups. Read the directions and you will see what I'm referring to.

    Also the below should not be running when you are using HJT:
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

    After you complete ALL those steps and post the BitDefender and Panda logs and a new HJT log we will be able to give you a fix. What I can tell you is that you have a Wareout infection that we need to remove but I need the other logs and also need msconfig to be disabled first.
     
    chaslang, Jan 4, 2006
    #2
  3. chaz wheeler

    chaz wheeler Private E-2

    ok....hope I did not screw this up.

    I ran all the requested programs except spybot. Spybot would not let me run without downloading updates, and each time i tried to get the updates of the internet, it just kept searching (I let it run for about 1 hour at longest)

    Anyway, I am still running in safe mode, with network so I can access the internet. The logs from the required programs are attached

    please help!! :)
     

    Attached Files:

    chaz wheeler, Jan 7, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As indicated in the stickies we almost always require HJT logs from normal boot mode. This last one is from safe mode. You also did not stop using msconfig. As I inidcated in my last message, you must not use msconfig to control startups while we are trying to fix problems. It could prevent us from seeing things we need to see. Please follow the drections in the link given in step 7 of the READ & RUN ME.

    I'll try to work from what you posted but the steps may not be correct because not everything will show in safe mode & msconfig may be hiding things. Also note you are still running HJT from a Desktop folder which is exactly where we request it not be installed. A folder like C:\HJT or C:\Program Files\HJT is a much better choice and some procedures may even depend on it being there. But Desktop and temp folders are a bad choice.Look in Add/Remove programs for UnSpyPC and uninstall if found.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    • Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
    • Click Next, then Install.
    • Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
    • The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
    • Your system may take longer than usual to load; this is normal.
    • When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:
    O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{76FCF0AF-56B7-4752-B328-778683A906F7}: NameServer = 85.255.114.53,85.255.112.106

    After clicking Fix Checked, close HijackThis, and click OK to proceed.

    At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
    C:\WINDOWS\system32\idemlog.exe
    C:\WINDOWS\SYSTEM32\favset.exe
    C:\WINDOWS\SYSTEM32\msblank.html
    C:\WINDOWS\system32\winctrl32.exe
    C:\WINDOWS\rdt.ini
    C:\Documents and Settings\Administrator\2.dat
    C:\Program Files\PartyPoker <--- delete the whole folder if found
    C:\Program Files\UnSpyPC <--- delete the whole folder if found


    Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

    There could be additional cleanup to do from Wareout and it the log will let us know.

    Also make sure you do not have msconfig controlling startups and attach a new HijackThis log.
     
    Last edited: Jan 7, 2006
    chaslang, Jan 7, 2006
    #4
  5. chaz wheeler

    chaz wheeler Private E-2

    First of all, let me say thanks for all the help you are giving me. You are really digging me out of a jam

    Attached are the two files, hopefully I have done everything correctly.

    Whats next?
     

    Attached Files:

    chaz wheeler, Jan 7, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Looks clean now. Are you having any other malware problems?
     
    chaslang, Jan 7, 2006
    #6
  7. chaz wheeler

    chaz wheeler Private E-2

    no, not that I know of. I downloaded the firewall you suggested on this site, and have microsoft spyware running now

    thanks again for all your help. I really do appreciate it

    chaz
     
    chaz wheeler, Jan 9, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link (sounds like you may have started on it already):

    How to Protect yourself from malware!
     
    chaslang, Jan 9, 2006
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds