TechSpot

Abebot, trojans, need help

By wannabee
Apr 2, 2008
  1. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Just doing the daily check to see if you've been back to this board. It's been a week since I've run any kind of scan or fix on this thing, and this morning I thought I heard it let out a belly laugh as it booted. Little does it know, if it comes right down to it, I'll win however I have to! Hope you're doing well and not drowning in too many issues out there!
     
  2. kritius

    kritius TS Guru Posts: 2,087

    Run a fresh HJT scan for me. Sorry about the lack of response.
     
  3. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    fresh scan

    No worries, believe me i understand hectic!!

    Fresh scan attached. Still can't get rid of that pesky nttv entry
     
  4. kritius

    kritius TS Guru Posts: 2,087

    Hmmm,

    Ok then, lets dig a little deeper.

    : Download and Run DSS

    Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
    • Attach the main.txt and the extra.txt in your reply.
     
  5. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    deckard

    Cheers! Good luck!
     
  6. kritius

    kritius TS Guru Posts: 2,087

    Go to add/remove programs and remove,
    Viewpoint Media Player
    ZoneAlarm Spy Blocker


    Since recently, Zonealarm decided to include a "ZoneAlarm Spy Blocker toolbar" as well which is an optional during install.

    However, this Toolbar now uses the AskJeeves/Ask.com searchengine.

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Documents and Settings\All Users\Application Data\Symantec
      C:\Documents and Settings\Christine\Application Data\Symantec
      C:\Documents and Settings\All Users\Symantec Temporary Files
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XcKh$vùõš/‚²ÆßfÏNC:
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XcKh$vùõš/‚²ÆßfÏNC:\Program Files\ISTsvc\istsvc.exe\\C:\WINDOWS\kcuwqyho.exe
      HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XcKhBenU\\C:\WINDOWS\kcuwqyho.exe
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  7. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    File was 5k characters to long to post....see attached notepad file.
     
  8. kritius

    kritius TS Guru Posts: 2,087

    Can you run HJT again?
     
  9. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    my bad...I could have sworn i attached a new hjt scan...here ya go.
     
  10. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Just a quick one....since removing viewpoint media manager I am gettnig bothered by popups asking me if i'd like to install adobe flash player....are these connected? I keep saying no, but even techspot wants to install flash on every visit...
     
  11. kritius

    kritius TS Guru Posts: 2,087

    Dont think that theyre related but it should be ok to go ahead and install it. Looking over the HJT log now.
     
     
  12. kritius

    kritius TS Guru Posts: 2,087

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
     
  13. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    kapersky scan

    attached kap0418 scan
     
  14. kritius

    kritius TS Guru Posts: 2,087

    Thats pretty much clean, how is the computer running at the minute?
     
  15. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Good to hear, I got nervous when I saw infected files and a couple viruses listed in the summary.....those just random items?

    Computer is running better than my laptop at this point...
     
  16. kritius

    kritius TS Guru Posts: 2,087

    C:\Documents and Settings\Christine\Desktop\ComcastToolbar.exe this was infected with adware and if you dont need it then its should be ok to delete, the other one is in system restore which we will tak of right now,

    Please download the OTMoveIt2 by OldTimer.

    • Double-click OTMoveIt2.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide

      or

      Windows Vista System Restore Guide

    Re-enable system restore with instructions from tutorial above

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

      This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

      Instructions for Spybot S & D

    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
     
  17. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    i'll work on gettnig all that on here before returnng the system.

    Any idea of how i can get the cd/dvd drives recognized again? At first mention it was the least of the problems, but still are listing registry errors in device manager
     
  18. kritius

    kritius TS Guru Posts: 2,087

    Not really sure, I just normally do Malware, maybe if Kimsland or someone sees this they may be able to help better.
     
  19. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    might be a useful note...not sure what it means....when i try to move out of the IE window, and its only since this last reboot/scan/ whatever. i am seeing floating ad windows (I am in techspot website, nowhere else) Is that due to the fact that i have not installed a popup blocker yet? Just confused because of the nature...since they aren't really popups, more like floaters....

    Still working on your list...errors found in the registry is what device manager lists as the problem with the drives. No go on deleting and trying to recognize again.
     
  20. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    maybe i will leave this tremendously long thread and move on to a new one in a new forum....just won't be the same though....this has been a rather entertaining 3 weeks.

    Thanks again so much for your help.
     
  21. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Hi wannabee

    Just replying, regarding CD/DVD drives missing

    Run REGEDIT, open up the following folders:
    • HKEY_LOCAL_MACHINE
    • SYSTEM
    • CurrentControlSet
    • Control
    • Class
    • {4D36E965-E325 -11CE-BFC1-08002BE10318}
    After clicking on {4D36E965-E325 -11CE-BFC1-08002BE10318} you should see two settings on the right-hand side:
    • "Upperfilters"
    • "Lowerfilters"
    Click on each of them, press DELETE and click YES.

    Rescan h/w in Device Manager

    You may need to restart from doing this

    edit:

    In some cases only the "Upperfilters" or only "lowerfilters" will be present in Registry
    In this case just remove which ever is there. Restart and scan Device Manager once completed.
    .
     
  22. wannabee

    wannabee TS Rookie Topic Starter Posts: 30

    Thank you Thank you Thank you

    for all your help, returned the machine today, and they are very excited to have it back!!! Thanks again..I may even use a few tricks I learned to see if I too am infected on this computer :)

    I really appreciate all your help!

    Kristin
    a "wannabee" even more....
     
  23. kritius

    kritius TS Guru Posts: 2,087

    Dont know if you would be able to do this but I would like you to get them to try this,
    just found out something about that O23 entry,

    Download haxfix.exe
    Save it to your desktop.
    Close down all applications and every browser window.
    Double-Click onto the haxfix.exe, to start the installation.
    Put a checkmark next to "Create a desktop icon".
    Click "Next" and follow the prompts on the screen.
    When the installation is finished, make sure that "Launch HaxFix" is enabled.
    Click "Finish".
    Now a Red DOS Window opens with the following options to chose:
    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    4. Run unknown fix
    E. Exit Haxfix

    Option 1: Make logfile.
    Chose the Option 1: Create a log by pressing 1
    This will need a moment of your time. When the HaxFix is finished, a textfile opens (haxlog.txt)
    Post it here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.