Please help!!! Simon Taylor

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by simon_taylor, Nov 1, 2006.

  1. simon_taylor

    simon_taylor Private E-2

    Hi Major Geeks

    Recently my computer has been riddled with spyware/adware/dialers. I have followed your steps 1-8 from READ & RUN ME FIRST Before Asking for Support and it has cleared a lot of the malicous programs . However i still have a popups and internet browser hijackers. After looking at my Regedit program i'm worried that i have worms like TKBellexe.exe but i'm not tottally sure.

    Bitdefender did not find any problems so i won't attach it to my post.

    I think i can only post 3 attachments so i will include
    PandaActiveScan.
    GetRunKey
    log HijackThis

    I will include PandaActiveScan.
    ShowNew
    In a different post.

    Please help, all your time will be greatly appreciated and hopefully you will be able to prevent me totally wiping out my c.

    Thanks

    Simon
     

    Attached Files:

  2. simon_taylor

    simon_taylor Private E-2

    Please help!!! Simon Taylor cont

    Thanks for any help heres the other attachment from the panda active scan
     

    Attached Files:

  3. simon_taylor

    simon_taylor Private E-2

    Hi just some extra info you might need

    Microsoft XP Proffessional Version 2002 service pack 2

    Intel(R) Pentium(R) M
    processor 1400mhz
    1.40ghz, 496 of Ram
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs .yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.sear ch.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

    R3 - URLSearchHook: (no name) - {E27E70E4-ED29-E1A9-7BE4-B09EF0675F97} - C:\WINDOWS\system32\svtfnwt.dll

    O2 - BHO: (no name) - {1A2CF862-8520-039B-ED9B-0773F353532A} - C:\WINDOWS\system32\bjlhkef.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: (no name) - {E27E70E4-ED29-E1A9-7BE4-B09EF0675F97} - C:\WINDOWS\system32\svtfnwt.dll

    O3 - Toolbar: (no name) - {D79559E8-9991-41C5-AA2B-A96EC766F43F} - (no file)

    O4 - HKLM\..\Run: [ycuemsc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ycuemsc.dll,tqffqw
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    Again, make sure ALL browser windows are closed when you click FIX.

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\WINDOWS\?icrosoft.NET Search for this folder and delete it!

    C:\WINDOWS\system32\svtfnwt.dll

    C:\WINDOWS\system32\bjlhkef.dll

    C:\WINDOWS\system32\ycuemsc.dll

    Next, run CCleaner to clean up cookies and temp files.

    After you complete the above, REBOOT and proceed with the rest of this fix...

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
  5. simon_taylor

    simon_taylor Private E-2

    Hi Thanks for all your help and time

    please find the hijackthis logfile below.

    I found all of the files in windows\system32\ to delete but could not find c:\windows\?icrosoft.NET

    However i did find 2 suspect folders named microsoft.Net. I deleted the one which only contained a file called masconfigexe.vir.

    Thanks again for your time and trouble

    simon
     

    Attached Files:

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your log looks good, are you having any further problems?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds