|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
03-19-2005, 05:15 PM
|
#1 (permalink) | |
|
Registered User
|
Random problems...
Hi...
I've been having a few problems with my computer.
Anyway, here's my HijackThis! log... (should I get a newer version?) Quote:
I have Spybot - Search and Destroy, Ad-Aware SE Personal, AVG Free and PCGATE Personal on my computer. I think the Windows Firewall that came with SP2 is active as well. Thanks in advance... |
|
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
03-19-2005, 11:18 PM
|
#3 (permalink) | |
|
Registered User
|
Seems that I can't edit the first post now... I've gone to Safe Mode and run Spybot, Ad-Aware, AVG and CWShredder before rebooting and running the Trend Micro online program. The first two found CnSMin stuff which I wasn't sure about deleting as apparantly it's part of the browser finding Asian sites (or something like that), so I didn't. Trend Micro found three bad files, which have now been deleted.
I ran HijackThis! and then ran the analyser and got this result... Quote:
|
|
|
|
|
|
03-20-2005, 03:44 PM
|
#4 (permalink) |
|
Analyst, Security Team
|
What happened here? Did someone provide a fix for you? You had a serious infection there in your initial log, but I don't see it now in your second log.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\system32\conime.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O1 - Hosts: 64.91.255.87 www.dcsresearch.com O15 - Trusted IP range: 206.161.125.149 O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM) O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://fastsearchweb.com/counter/new/x.chm::/update.exe O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\conime.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. I couldn't find much information on these: C:\WINDOWS\System32\hfsmop.exe C:\Program Files\????????????\piputil.exe O4 - HKLM\..\Run: [HFSMOP] C:\WINDOWS\System32\hfsmop.exe Do you know what they are for? If not, right click on that jfsmop.exe file and go to Properties->View to see what information you can get there. Do this now: Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe PV http://www.greyknight17.com/spy/pv.zip VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it. Please follow the steps below: 1. Download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip 2. Run Kill2Me. 3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!). a) Open that folder on your Desktop and double click on the runme.bat file. b) Type in 3 and hit your Enter key. Save the log file. c) Type in 5 and hit your Enter key. Save the log file. d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below. 4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later. 5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. Post all of the logs in your next post. We need them all to get a fix for this infection.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-20-2005, 05:29 PM
|
#5 (permalink) |
|
Registered User
|
The computer's been off since I posted that second log in the forum, and the next time I'll be definately be able to keep the computer on isn't for a couple of days. Is that going to affect anything?
It seems the first log was really old, as it says that I was running SP1. I do have a yellow shield (something new since I got SP2) in the taskbar telling me to install something (I think). It's in Japanese so I can't exactly tell what it is. Should I download it now or wait until this infection is cleared up? One more thing... what infection(s) does the computer have and what is its function? |
|
|
|
|
03-20-2005, 09:31 PM
|
#6 (permalink) |
|
Analyst, Security Team
|
Yes, that shield is for Microsoft update. You should not have installed SP2 yet. You need to remove this infection first because Microsoft will start acting up if SP2 is installed on a unstable system (like you have right now).
You have the iGetNet infection. Look2Me might be here also. So you will need to run those programs we asked previously (hold on to the others that you didn't use yet, we'll use them later).
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-20-2005, 09:51 PM
|
#7 (permalink) |
|
Registered User
|
Understood... I heard that it's possible to uninstall SP2, would that be any help?
When I get a chance (hopefully later today) I'll do all the instructions you outlined in one go. That is, unless you post again before I start telling me to only go up to a certain spot. |
|
|
|
|
03-20-2005, 10:02 PM
|
#8 (permalink) |
|
Analyst, Security Team
|
If it's not giving you problems, I would leave it for now. If you want to keep it for now, my suggestion is to reinstall it when all of this is done. Or if you want, revert back to SP1 now and do the fixes.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-25-2005, 03:56 AM
|
#11 (permalink) | |||||
|
Registered User
|
Finally able to keep the computer on, I hope you all aren't asleep
 ...Quote:
piputil seems to be the program it uses. Look2Me Uninstaller: No version found to uninstall, could it be because I started using Opera and haven't run IE for almost a week now? IGN Keyword Uninstaller and ClearSearch Uninstaller said to reboot the computer, but I haven't done it yet... should I do so now? Quote:
Quote:
Quote:
Quote:
C:\Program Files\Internet Explorer\
|
|||||
|
|
|
|
03-25-2005, 10:06 AM
|
#12 (permalink) |
|
Analyst, Security Team
|
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):
C:\WINDOWS\system32\conime.exe Delete this file: C:\WINDOWS\system32\conime.exe Download L2MFix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-25-2005, 05:08 PM
|
#13 (permalink) | |
|
Registered User
|
Here it is... I got a popup twice that mentioned autoexec.bat but it thought that pressing yes would stop the scan, so I pressed no. I hope that was the right thing.
Quote:
|
|
|
|
|
|
03-26-2005, 03:33 PM
|
#14 (permalink) |
|
Analyst, Security Team
|
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Also give us an updated HijackThis log.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
