Spyware help and guidance needed

Discussion in 'Malware Help (A Specialist Will Reply)' started by quangpt, Feb 14, 2005.

  1. quangpt

    quangpt Private E-2

    My home PC have recently been infected with a certain spyware or Trojan and I could not remove it by Norton AV or Ad-aware.

    The Internet connection is by dial-up only through ISP, with Norton AV installed. The recent log report was indicative of a Trojan download virus that NAV failed to quarantine and/or access blocked. However NAV had sucessfully detected and deleted others.

    Every time I start a connection, IE will pop-up and connect to 'http://h1-us/cream.html' and would take all my bandwith to transmit who-knows-what to somewhere I could not know. I could not send/receive e-mail and surf the Net because of this, and if possible, it would take very long time to get to a website or read an e-mail.

    I had tried ad-aware and spybot without results. Please help me.
     
    quangpt, Feb 14, 2005
    #1
  2. Random

    Random Private E-2

    This probally wont help but maybe try A-Sqaured, another spyware removal tool, helped me get rid of somthing that niether spybot S&D or Ad-Aware could once so it might work :)

    oh and there are more removal tools at the top of the section

    http://www.emsisoft.com/en/
     
    Random, Feb 14, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Feb 15, 2005
    #3
  4. quangpt

    quangpt Private E-2

    Thanks for all of your help in this forum. I'm very grateful for all of you gentlemen and wish all of you well.

    I had followed exactly as instructed and discovered/cleaned many spywares in my system. :rolleyes: The HJT log seemed to me OK, that means information reported in this log showed trustworthy sources and locations, at least to my humble knowledge.

    However, my modem still do a lot of sending. The number of receiving bytes allways less than sending, and even on no activities, the modem still sending who-know-what.

    I'm beginning to think that could it be a modem malfunction ? Any one experiencing this situation please let me know.

    Thanks.
     
    quangpt, Feb 22, 2005
    #4
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please post a current HJT log so that we can confirm your being clean. Thanks!
     
    bjgarrick, Feb 22, 2005
    #5
  6. quangpt

    quangpt Private E-2

    Thanks a lot for Master Sargeant. Very appreciate your reply. Will attach my latest HJT log for you all.

    It seemed that I had fixed my problem by UOGRADE my system (XP SP1) to SP2 from a good source. Windows guys may have fixed those modem drivers.

    Wish all of you good health and all the best.

    I hope to be the promoter of Major Geeks in my company (FPT) for all of these noblese obliges from all of you.

    Thai, Pham Quang
     
    quangpt, Feb 23, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK! But you still did not post your log!
     
    chaslang, Feb 23, 2005
    #7
  8. quangpt

    quangpt Private E-2

    Thanks Mr. Chaslang. You always are a very helpful and reliable source. I'm attaching my HJT log for you all to see. Please get back to me for advises and guidances or questions.
     

    Attached Files:

    quangpt, Feb 27, 2005
    #8
  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    bjgarrick, Feb 27, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After getting the proper version of HijackThis, follow the steps below.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINNT\system32\navprotect.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O4 - HKLM\..\Run: [NAV Auto Protect] navprotect.exe
    O4 - HKLM\..\RunServices: [NAV Auto Protect] navprotect.exe
    O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\system32\navprotect.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


    Now:
    Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin
    And Click OK.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Feb 27, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds