Please please please help..

Status
Not open for further replies.
Heya,

I have followed all the steps given in 'Viruses/Spyware/Malware, preliminary removal instructions' post and have attached the 3 log files that I got.

O first noticed the problem, when my screen saver went blue and in the middle of the screen it said something along the lines of "spyware threat detected on your pc" this warning has now gone, but im still getting the windows balloon saying, my pc is infected with spyware,

here are my logs:

p.s. The Panda Antirootkit scan results wer:

c:\windows\system32\hlp.dll

thanks in advance

cheers
 
Very very very brief look
These two can be removed:
C:\Documents and Settings\All Users\Application Data\fmhgbufa\zszmdcnu.exe
C:\WINDOWS\system32\zgdudafi.exe
Actually there's a few instances in HijackThis Log

Also consider removing Norton and installing AVG Free
Update 3 times (innitially only) then run a full scan
 
P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Limewire

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.
 
Thanks for the input so far peeps, much appreciated,

so far i have removed norton, installed avg, ran the updates and am now scanning the pc

thanks for taking the time out to help

all advice welcome and very much appreciated
 
One alteration to AVG default install settings

Confirm Scheduler is not set to run on every system restart
  • Open AVG Control Center
  • Click to highlight Scheduler
  • Click on Scheduled Tasks button
  • Double click on Test Plan in Basic Mode
  • Uncheck "Periodically start scheduled antivirus test"
  • Ok Close (X)
 
thanks kimsland all set as per ur bellow instructions

im still having probs with:

c:\windows\system32\hlp.dll

and avg is reporting:

Threat detected!
while opening file: c:\windows\system32\hlp.dll
torjan horse backdoor.agent.nrb

it wont allow me to heal, or move to vault

the warning from avg for the above only pops up once i carry out an action e.g. open my email, or open a browser, but everytime i carry out any action that warning pops up

any ideas wot is going on???

cheers
 
Please Disable System Restore (howto)

Then download Move On Boot from h e r e

Once installed click on Start--> All Programs -->GiPo@Utilities-->MoveOnBoot
Paste this exactly in the white area: c:\windows\system32\hlp.dll
Click next, and then select Delete select Start

Restart
Confirm c:\windows\system32\hlp.dll has in fact been deleted

If it has gone, please re-enable System Restore

Reply back with the result
 
Before doing that, try an online scan with Kaspersky,

it will let us get a better idea of what is happening in there

We can also use HJT to get rid of the nasty or the pocket killbox, HijackThis would be prefferable seeing as how you already have it installed.

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    o Extended (If available, otherwise use standard)
    o Scan Options:
    o Scan Archives
    o Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Kas-SaveReport-1.gif

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file
  • In the Save as type prompt, select Text file (see below)

    Kas-Savetxt.gif

  • Include the report in your next post.

Delete Files on Reboot
  • Start Hijackthis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the button labeled Delete a file on reboot...
    A new window will open asking you to select the file that you would like to delete on reboot.
  • Navigate to each file and click on it once, and then click on the Open button.
    c:\windows\system32\hlp.dll
  • You will now be asked if you would like to reboot your computer to delete the file.
  • Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.
 
Status
Not open for further replies.
Back