TechSpot

hjt help!

By gabodire
Jun 15, 2007
  1. My computer was recently infected with winantiviruspro2006. I was having random pop ups and my ie kept crashing. I think I have removed it but am not sure as my ie still crashes often. can someone please check my hjt log? Thanks alot.
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi gabodire and welcome to techspot. =)

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, do the following.

    You are running an outdated version of HijackThis.
    You can obtain the latest version from the link in my signature.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    GPLv3
    NI.UWA6P_0001_N91M1807


    Go to start > Control Panel > Add and Remove Programs.
    Remove anything related to the following:

    Winantiviruspro 2006

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\mtncoiab.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F12DC648-1FF0-4814-A6E7-0A681D4E0C09} - C:\WINDOWS\system32\weurevei.dll (file missing)
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\iwuueccv.dll",realset
    O4 - HKLM\..\Run: [NI.UWA6P_0001_N91M1807] "C:\Documents and Settings\Padreic\Desktop\WinAntiVirusPro2006FreeInstall.exe" -nag

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.
    C:\WINDOWS\system32\mtncoiab.dll
    C:\WINDOWS\system32\iwuueccv.dll
    C:\Documents and Settings\Padreic\Desktop\WinAntiVirusPro2006FreeInstall.exe

    Reboot into normal mode and rehide your protected OS files.

    Please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of gabodire only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. gabodire

    gabodire TS Rookie Topic Starter

    Hi,

    It took so long .. and I've been busy. AVG Antirootkit didn't find anything. The logs are attached
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Please navigate to virusscan.jotti.org.

    Copy and paste the following into the text box at the top of the page.

    C:\WINDOWS\system32\mjcrost.dll

    Click the Submit button.

    Please let me know the results.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.

    Search your system for the filename adober.exe and delete all instances found.

    Then post back here with the results of the Jotti virus scan, as well as fresh HJT and ComboFix logs.

    Regards :)

    This thread is for the use of gabodire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. gabodire

    gabodire TS Rookie Topic Starter

    The jotti scanner didn't find anything. I also couldn't find any instances of adober.exe ..... so the logs should be the same but here they are

    Thanks
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    Question: What do you have as your F:\ ? Is it your CD Drive or portable hard drive? Please let us know the contents of this drive and what you use it for.

    Regards,
    Your friendly momok =)

    This thread is for the use of gabodire only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. gabodire

    gabodire TS Rookie Topic Starter

    My F: is for my usb drive. Its just used for miscellaneous purposes. Contains documents, audio, movie files.
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Sorry for the delay in response.

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
    Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    I suggest you run AVG antispyware scan and include your usb drive in the scan. Plug it in before starting the scan so it appears for you to include for scanning.

    Thereafter, please post fresh gabodire HJT and AVG Antispyware logs from normal mode and the ComboFix log from the safe mode instructions as attachments into this thread.
     
  9. gabodire

    gabodire TS Rookie Topic Starter

    Hi Momok,

    That's alright, I've been a tad slow responding too. I seem to have misplaced my usb, so I didn't add it into the scan. Attached are the AVG, Combofix and HJT logs.

    Cheers~
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Please download and run CCleaner via step 9 of the instructions HERE.

    Have HijackThis fix this entry:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.finderg.com

    After this you're good to go.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    You may also delete the C:\VundoFix Backups folder and its contents.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of gabodire only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. gabodire

    gabodire TS Rookie Topic Starter

    Thanks so much Momok!
     
  12. momok

    momok TS Rookie Posts: 2,265

    No problems. Glad to help. =)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...