HJT log... my comp is a mess

[Surm]

Hello...

Got a nasty addware on my comp today and its really annoying
No help from SpyBot or Adaware and the trend online scan didnt help either...

They all find something but cant handle it

Just hope someone can help me out here... thnx!

----

Heres my HJT log:

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions.

Then, go HERE and follow the instructions exactly.

Post a fresh HJT log, only after doing the above.

Regards Howard :wave: :wave:

 

[Surm]

Hi again and thnx for the response...

I did as told on the help topics and did get rid of the stupid popup's

Spybot still keeps finding 2 reg entrys which he cant reapear even on the startupscan command service something something

----

the new log is here:

 

[RealBlackStuff]

You have the Francette worm
http://www.symantec.com/avcenter/venc/data/w32.francette.worm.html

 

[howard_hopkinso]

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Locate the following services(if there)

Microsoft Windows System
eventwvr

Double click on them and select stop if they are running. Set the startup type to disable. Click apply/ok.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

syshost.exe <Not to be confused with svchost.exe, which is legit.
eventwvr.exe

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(If there).

O4 - HKLM\..\Run: [eventwvr] E:\WINDOWS\system32\eventwvr.exe
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe

O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\RunServices: [eventwvr] E:\WINDOWS\system32\eventwvr.exe

O4 - HKCU\..\Run: [eventwvr] E:\WINDOWS\system32\eventwvr.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140698043328

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

E:\WINDOWS\system32\eventwvr.exe
E:\WINDOWS\system32\syshost.exe

Reboot into normal mode and turn system restore back on.

Get rid of that McAfee rubbish and download and install the free AVG antivirus programme and the free Zonealarm firewall.

You can get them from HERE and HERE.

Install Zonealarm, followed by AVG. Run the AVG updates, then do a full system scan in safe mode.

Regards Howard

 

[Surm]

Thnx again...

I did as told and it seems to be clean now. AVG did find some stuff and cured most of it but not an sc.exe file alltho its was marked as a virus :s

 

[howard_hopkinso]

Are you sure it was sc.exe? As this normally the Windows NT Service Management file.

Post a fresh HJT log and I`ll take a look.

Regards Howard

 

[Surm]

Spybot still keeps finding those to reg entrys he cant rep :s



and heres the new log:

 

[RealBlackStuff]

They must be false positives.
Your HJT-log is clean.

 

[Surm]

ah nice to hear that

Thnx alot and keep up the good work