Dan

Members
  • Content Count

    742
  • Joined

  • Last visited

Everything posted by Dan

  1. Dan

    Hijack Log

    Please print these instructions out for use in Safe Mode. First, Please go Start --> Control Panel --> Add Remove Progams. Uninstall ISTSVC. Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to extract the files This will create a VundoFix folder on your desktop. After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat You will first be presented with a warning. It should look like this At this point press enter one time. Next you will see: At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\byxut.dll [*]Press Enter to continue with the fix. [*] Next you will see: [*]At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system32\tuxyb.* [*]Press Enter to continue with the fix. [*]The fix will run then HijackThis will open, if it does not open automatically please open it manually. [*]In HiJackThis, please place a check next to the following items and click FIX CHECKED: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\byxut.dll O4 - HKLM\..\Run: [ó# K"h'þ9Óœ÷3rÃ…WC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\jwbgsipl.exe O20 - Winlogon Notify: byxut - C:\WINDOWS\system32\byxut.dll [*]After you have fixed these items, close Hijackthis. [*]Press enter to exit the program then manually reboot your computer. [*]Once your machine reboots please continue with the instructions below. Download and install CleanUp! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click OK Press the CleanUp! button to start the program. It may ask you to reboot at the end, click NO. Next, please enable viewing of hidden files as follows: 1) Go to My Computer, and click on the "Tools" menu 2) Click "Folder options" 3) Select the "View" tab 4) Make sure "Show hidden files and folders" is selected 5) Make sure "Hide extensions for known file types" is unchecked 6) Make sure "Hide protected operating system files (recommended)" is unchecked Locate the following file and delete it: C:\WINDOWS\jwbgsipl.exe Then, please run this online virus scan: ActiveScan Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  2. Can you post a log in regular mode please? Thanks, Danny
  3. Dan

    Had A Trojan

    Hi, Did you run those scans? If you did, please run Ewido: Please download ewido security suite it is a free version of the program. Install ewido security suite When installing, under "Additional Options" uncheck..Install background guard Install scan via context menu [*]Launch ewido, there should be an icon on your desktop, double-click it. [*]The program will now open to the main screen. [*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment. [*]You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. [*]The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display ("Update successful") If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates Once the updates are installed do the following: Click on scanner Click on Complete System Scan and the scan will begin. You will be prompted to clean the first infection. Select "Perform action on all infections", then proceed. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. Close ewido security suite. Post a new log and the Ewido log as well. Danny
  4. Dan

    Hijack Log

    Hi, I suggest you uninstall Blubster. This program contains spyware and adware. More info here: http://spywareinfo.com/articles/p2p/ Open HiajckThis and check the following items (If Present): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [Vsfupp] C:\Program Files\Kpigv\Apcvmrl.exe O4 - HKLM\..\Run: [AutoLoaderqxuv1dKUIKKK] "C:\WINDOWS\system32\tcpmo.exe" /PC="CP.IST" /ShowLegalNote="nonbranded" /UninstallName="CtxPls" O4 - HKLM\..\Run: [q25T3pX] tcpmo.exe O4 - HKCU\..\Run: [b1u3Rfb4T] swpvideo.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab Close all windows except HijackThis and click the "Fix Checked" button. Next, please enable viewing of hidden files as follows: 1) Go to My Computer, and click on the "Tools" menu 2) Click "Folder options" 3) Select the "View" tab 4) Make sure "Show hidden files and folders" is selected 5) Make sure "Hide extensions for known file types" is unchecked 6) Make sure "Hide protected operating system files (recommended)" is unchecked Locate and delete the following files/folders: C:\Program Files\Kpigv C:\WINDOWS\system32\tcpmo.exe Click Start --> Search. Search for swpvideo.exe and delete it. Reboot and post a new log. Danny
  5. Dan

    Had A Trojan

    Hi, Please download the updated version of HijackThis 1.99.1 http://www.besttechie.net/tools/HijackThis.exe Post a new log. Danny
  6. Hi, Click "Start --> Control Panel --> Add Remove Programs. Uninstall (If present): WinTools Media Access Open HijackThis, click the "Scan" button, and check the following items (If present): O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing) O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (file missing) O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteA.../bridge-c10.cab Close all windows except HijackThis and click the "Fix Checked" button. Locate the following folders and delete them (If Present): C:\PROGRA~1\COMMON~1\WinTools C:\Program Files\Media Access Reboot and post a new log. Danny
  7. I'm looking forward to the changes here Danny
  8. Hi, Can you please turn off wordwrap? To do this: Open Notepad, and uncheck "Format -->Wordwrap". Post a new log. Danny
  9. Hey! I'll check it out later, since my school filters block it (Adult Content :x) Danny
  10. Hey Jeff, Are you sure that the directory is CHMOD'd correctly? Danny
  11. Cool TT Hopefully people'll abandon that place
  12. Just forget her then...just say "Have fun infecting your computer again " Danny
  13. Yes! Welcome back besttechie.net once again!!! Danny
  14. Hi, Boot into Safe Mode. Open up VundoFix, and follow the previous directions. Instead, please use these file names: C:\WINDOWS\system32\byvww.dll For the first file name ^^ C:\WINDOWS\system32\wwvyb.* For the 2nd file name. Please post back a new HijackThis log and a VundoFix log.\ Danny
  15. I second laxman I have it on my computer and it works wonderfuly (You need to download codecs for some tho) Danny
  16. Hi, I don't think you can. http://www.famatech.com/products/comparisons/ There it says the features of it. But you can run IE or an ftp program on there right? You could upload the files to a server, or email them to yourself...Kinda a pain tho. Danny
  17. Great suggestions...I would let her sue as well; not my money I'm wasting Danny
  18. Can you post a new HijackThis log, to see if there are any remaining items to fix? Thanks, Danny
  19. YAY!!! I'm so glad BT is back up Jeff, I know how much this site means to you, and I'm glad to have it back up Danny
  20. Hi, I belive they are just random baddies. This may happen from just being on an unprotected computer that is on the internet for a couple of hours. PlanDvd.exe is a random malware. If your firewall sees that an application is launching, etc, etc, say NO unless you know it's safe. Of course you can stay here! Feel free to post in Open Chat or whereever you want to! Danny
  21. Hi, Open HijackThis, and click the "Scan" button. Check the following items: R3 - URLSearchHook: (no name) - - (no file) R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file) O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file) If you or your administrator did not put this restriction on Control Panel, also check this item. These restrictions can also be set by software like Spybot Search & Destroy, SpywareBlaster or another similar protection software: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present Now, close all windows except HijackThis and click the "Fix Checked" button. Reboot and post a new log. dk
  22. Hi, Sorry for the late reply. First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet. To Get rid of NewDotNet, go to: Start > Control Panel > Add or Remove Programs and remove the following: New.Net Applications or New.Net Domains (anything that says New.Net) If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4. In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do. Next, open HijackThis, and check the following items (If present): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {116A7486-4EB4-2DA2-14A2-62D3A6375766} - C:\DOCUME~1\buddy\APPLIC~1\TRANSN~1\Dumbball.exe O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file) O4 - HKLM\..\Run: [extra hide anti ante] C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide\PlanDvd.exe O4 - HKCU\..\Run: [sign jugs] C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1\Axis Start.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} - Close all windows except HijackThis and click the "Fix Checked" button. Next, please enable viewing of hidden files as follows: 1) Go to My Computer, and click on the "Tools" menu 2) Click "Folder options" 3) Select the "View" tab 4) Make sure "Show hidden files and folders" is selected 5) Make sure "Hide extensions for known file types" is unchecked 6) Make sure "Hide protected operating system files (recommended)" is unchecked Now, locate the following files/folders and delete them: C:\DOCUME~1\buddy\APPLIC~1\MIXLIE~1 << This folder C:\Documents and Settings\All Users\Application Data\wipemanagerextrahide << This folder Now reboot and post a new HijackThis log. Danny