• Content Count

  • Joined

  • Last visited

About insipid

  • Rank
    Malware Basher
  1. You could uninstall Ewido, the real-time protection is only a 14-day trial, but it's good to keep around for scanning purposes, you can still use it for that afterwards. I very much doubt it or HJT are blocking your connection. Can you describe your connection difficulties in more detail?
  2. Well, this log is from Normal Mode, well done . You can leave that 06 entry if you're not sure about it. The only thing I see that's left is this line: O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" WildTangent is thought to collect data regarding your surfing habits and report back to it's controlling server. I suggest removing it, but the choice is yours. If you choose to remove it, fix the entry with HJT and then remove 'WildTangent' in Add/Remove Programs. Other than that, your log is clean. How's it running? To reduce re-infection potential for malware in the future: Please read Tony Klein's article: So how did I get infected in the first place?. It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to regularly and install ALL critical updates. It would be a good idea to install a firewall if you don't have one . Here are a few free ones: Kerio Personal Firewall Zone Alarm Sygate Personal Firewall I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad. Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below. Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.
  3. Dankwsc, that actually did quite a bit of good. We have more to do, though. Please first save these directions to the desktop as a text file, because you will need to copy and paste part of them later, once we are in Safe Mode. Click Start >> Run Type "services.msc" (without the quotes) in the run box that pops up. Locate Awlwsterkfp, right-click on it and select 'Properties'. Click 'Stop'. Set 'Startup Type' to 'Disabled'. Exit services.msc. 1) Please download the Killbox. Unzip it to the desktop but do NOT run it yet. 2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option. 3) Once in Safe Mode, please run Killbox. 4) Select "Delete on Reboot". 5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C: c:\winnt\system32\xdkbyxru.exe C:\WINNT\wupdt.exe 6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard". 7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.. Rescan with HijackThis and place a checkmark next to the following entries: O4 - HKLM\..\Run: [xdkbyxru] c:\winnt\system32\xdkbyxru.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe O23 - Service: Awlwsterkfp - Unknown owner - (no file) Did you, an Administrator, or a program such as Spybot Search & Destroy set the following restriction? If not, fix it too. O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Now, close all windows including your browser and then click "Fix Checked" in Hijackthis. Reboot normally and post a fresh HJT log for review. If you still can't get one from Normal Mode, redownload HijackThis from Here . Unzip it to the same folder you have HJT in now, allowing it to overwrite the current version. If it still doesn't work, go ahead and post a log from Safe Mode.
  4. Go ahead and do the HijackThis fixes in Safe Mode, then post a new log, even if it's from Safe Mode too. We'll see where we're at .
  5. chupzy, there's still one bad process showing in your log. C:\WINNT\System32\irftp.exe is a variant of the W32/SDBOT worm. Please run both of these online virus scans: Trendmicro Housecall....Panda Active Scan For Housecall, select the 'Autoclean' option. Please tell me of any files it can't clean. For Panda, use the default settings and save the log it generates to post in your next reply. Reboot and post a fresh HijackThis log as well as the Active Scan report .
  6. Please proceed with the fix without updating Ewido. We'll work it out.
  7. Dankswsc, since I haven't heard back I'm going to work with this log. You have quite a mess there, so this may take a few posts to clear up. First, download and install CleanUp! but do not run it yet *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download, install, and update Ewido Security Suite Install ewido security suite Launch ewido, there should be a big E icon on your desktop, double-click it. The program will prompt you to update click the OK button The program will now go to the main screen You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit Ewido Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Once in Safe Mode, Run Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). After you're done running Cleanup! follow the instructions below Run Ewido. Click on scanner Make sure the following boxes are checked before scanning: Binder Crypter Archives [*]Click on Start Scan [*]Let the program scan the machine While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report Save the report to your desktop Reboot into normal mode. Go to Start > Control Panel > Add or Remove Programs and remove the following: SpySheriff Exit Add or Remove Programs. Delete the following, in bold, if found: C:\Program Files\SpySheriff <-whole folder C:\Windows\Desktop.html C:\winstall.exe Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT\system32\msblank.html R3 - URLSearchHook: (no name) - {C6000CE3-6670-D005-3C35-F82D96F63836} - NsCplTray.dll (file missing) O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll O2 - BHO: Internet Explorer Hot Fix - {D849BA66-677C-421A-9916-FCFB5D6B9A75} - C:\WINNT\system32\itunb.dll O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\system32\vfxrc.dll O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe O4 - HKLM\..\Run: [WindowsUpdate] C:\WINNT\System\svchost.exe /s O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\popcorn64.exe rundll.dll,LoadMouseProfile O4 - HKLM\..\Run: [abrek] PasswdMon.exe O4 - HKLM\..\Run: [MONITER] DTOURS.exe O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe O4 - HKCU\..\Run: [eB7mRPfsj] aamcom.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - HKCU\..\Run: [spySheriff] C:\Program Files\SpySheriff\SpySheriff.exe O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe" O4 - HKCU\..\Run: [setupExeDll] RtlFindVal.exe O4 - HKCU\..\Run: [keybdll] SysEntry.exe O4 - HKCU\..\Run: [xxtoolbar] 34763.exe O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU) O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU) O15 - Trusted Zone: * O15 - Trusted Zone: * O15 - Trusted Zone: * O15 - Trusted Zone: * (HKLM) O15 - Trusted Zone: * (HKLM) O15 - Trusted Zone: * (HKLM) O15 - Trusted IP range: O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - O20 - Winlogon Notify: style2 - C:\WINNT\q20924938_disk.dll O23 - Service: Awlwsterkfp - Unknown owner - (no file) Close HiJackThis. Please delete these Folders and Files using Windows Explorer: C:\WINNT\q20924938_disk.dll << This file C:\Program Files\WareOut << This folder C:\Program Files\WareOut\WareOut.exe << This file * 34763.exe << This file * SysEntry.exe << This file * RtlFindVal.exe << This file C:\Program Files\WareOut\WareOut.exe << This file * aamcom.exe << This file * winole.exe << This file * DTOURS.exe << This file * PasswdMon.exe << This file C:\WINNT\system32\popcorn64.exe << This file C:\WINNT\System\svchost.exe << This file C:\Program Files\PSGuard << This folder C:\WINNT\system32\perfcl.exe << This file C:\WINNT\system32\vfxrc.dll << This file C:\WINNT\system32\itunb.dll << This file C:\WINNT\system32\vfxrc.dll << This file C:\WINNT\ceres.dll << This file * Locate via Start > Search RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop. Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES. After the merged successfully prompt, please reboot your computer. You should be able to change your desktop back to normal now. Post the report from Ewido and a new HiJackThis log into this topic.
  8. Ok, do what you can. If you can only get a log from Safe Mode, so be it. We'll work with what we have.
  9. I apologize, I didn't get the email notification that you had replied. Please post one more HijackThis log to be sure you got it all .
  10. chupzy, I see you're running Microsoft Anti-spyware, and this is good, but it may interfere with our fixes. Please disable it for the time-being by right-clicking it's icon in the System Tray and selecting 'Shut Down...'. Rescan with HijackThis and place a checkmark next to the following entries: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitenbt32.exe Now, close all windows including your browser and then click "Fix Checked" in Hijackthis. Please remove these entries from Add/Remove Programs in the Control Panel(if present): Elitebar Internet Explorer Toolbar (or similar) Oemji Toolbar Please delete these files using Windows Explorer(if present): C:\winnt\system32\elitenbt32.exe Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin. Reboot and post a fresh HJT log for review.
  11. User posted new topic, being helped here
  12. chupzy, I'm looking over your log now, I'll have a reply for you soon.
  13. Hi Dankwsc, I'm guessing the forum you were being helped at is Spywareinfo . That's my home forum, so it's only fitting that I should continue. Can you tell me the name of the helper that was working on your log so I can inform him/her, so they don't take the time to respond to your log when SWI gets back online? The HijackThis log you posted appears to be done in Safe Mode. Please post a log from Normal Mode, it's important I see everything that's running, and I'll be happy to help. Also, can you tell me what you mean when you say your Internet is "useless"? Is it that you can't get online at all, or that it's too messed up to do anything? I'd say we need to fix that as quickly as possible.
  14. I wish I could have helped more. Let me know how it turns out .
  15. Vile_DR, other than the Limewire thing, this looks great. In way of general cleanup, I have a couple of recommendations: MWAV detects WildTangent as a possible threat, Panda Active Scan does as well. I generally propose it as an optional fix, so I will do so here as well. It's unnecessary and possibly malicious. I suggest uninstalling WildTangent via Add/Remove Programs in the Control Panel (if it's there) and then deleting this directory: C:\Documents and Settings\mboree\Local Settings\Application Data\Wildtangent\ The other threats MWAV found are in the System Restore cache, you may want to purge it: Go to Start->Control Panel->System, System Restore. Click "Turn off System Restore". That will erase all restore points. You will be prompted to reboot. When Windows restarts, immediately go back in and uncheck "Turn off System Restore" to re-enable it. Windows will automatically create a new restore point. Did you try the Internet Explorer repair/reinstall yet? If Firefox is working fine, I'd say that's the next logical step, to eliminate a corrupt IE as a culprit. Let me know .