Pretty Pretty Please help me(hjt log) Virus?

Status
Not open for further replies.
G

greeneyez07

Posts: 11   +0
I don't know what to do, I have tried everything and I am still having trouble. First off I keep getting a message from windows livecare that I have a trojan something win32 Adialer_gen.b or something like that. It keeps saying it quarantined it but it keeps coming up that I have it. My computer is running awful and keeps freezing constantly. Here is my first HJT log. I also downloaded cwshredder but I have not ran it yet. My internet explorer also was constantly changing my homepage to google and kept redirecting me to different search pages when I search for something on yahoo. I downloaded IE 7 and that seems to have blocked that from happening. I still know that I have something going on though.

Any help Pretty please with sugar on top would help........
Kel
 
Hello and welcome to Techspot.

Your system is infected with malware and you`re running an outdated version of HijackThis.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok I did all the things you said and the avg anti-rootkit thing found

C:\WINDOWS\system32:lzx32.sys Hidden Driver File



Thanks for the help so far, what do I need to do next?

Thanks again,
Kel
 
Hi,

You have not posted HijackThis, ComboFix and AVG Antispyware logs as attachments to this thread. Please post the requested logs as they will help us to diagnose the problems on your system and fix them.

Please see this thread HERE for a guide to attaching files on a thread.

Have AVG Anti Rootkit remove that entry it detected.


Regards,
Your friendly Momok =)
 
The lzx32.sys is part of the Rustock rootkit. Have AVG Antirootkit fix that entry, then post all the requested logfiles.

Regards Howard :)

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok if I attached everything right, here is the logs, let me run the anti rootkit thing again and see if that one thing comes up again. I followed the instructions step by step to clean the computer, but I missed the steps that were on the other post on that page, so I went back and redid all the steps again. Here are the logs you asked for.

Thanks again for your help, if they didnt attach I will try again.

Kel
 
I also just redid the anti rootkit thing and it didn't find anything this time. Let me know if you see anything else on there that needs to be taken care of......

Thanks so much again,
Kel
 
Delete all files in AVG Antispyware quarantine.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard :)

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
One more thing, I also have another weird problem. I had symantec on the computer and tried to uninstall it because it didn't seem to be finding things, and it was updated. It won't let me uninstall it, it just runs the windows installer and says that it is uninstalling then it starts reversing and going backwards and doesn't uninstall it. Then when I right click any icon on the desktop the windows installer comes up and tries to install symantec. I don't know what is going on with that. It is still doing that, I just tried to see if it had quit doing that when I right click an icon. I do have symantec disabled now since it won't let me uninstall it, and I am using the avg antivirus instead of symantec.

Thanks for any help,
Kel
 
Oops got it...wasnt logged in.....

Kel

Ok here are the 2 logs you asked for from avenger and a new hjt log.

thanks again.....just let me know if there is anything else I need to do....

THANKS,
Kel
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Easy SpyRemover<This programme is of dubious repute.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

winlogon32.exe
EasySpyRemover.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-000000000000} - C:\Documents and Settings\eArmyU Student\429191132.dll (file missing)

O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll (file missing)

O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\Easy SpyRemover\EasySpyRemover.exe /smart

O4 - HKLM\..\Policies\Explorer\Run: [7H28X9M91L] C:\WINDOWS\winlogon32.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\winlogon32.exe
C:\Program Files\Easy SpyRemover<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard :)

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Have HJT fix this entry.

O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll (file missing)

Other than the above inactive entry, your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok here is the last hjt log after I checked it to fix that last file. Also one more question, I hope anyways. I went to that Norton's/Symantec removal tool and tried to do it and it said I had to use the Add Remove Programs first and do it there. I tried to do that again, and it still acted like it was removing it but then the progress thing started going backwards and it is still there and windows installer is still trying to install it everytime I right click on anything on the desktop. Anything else I might be able to try there?

Thanks again so so so so so so much for your help so far, you are AWESOME!!!!!!!

Kel
 
Ok, let`s try the following.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Symantec Password Validation (ccPwdSvc)<Disable the service name and/or the name in brackets.

Symantec Settings Manager (ccSetMgr)<Disable the service name and/or the name in brackets.

Symantec AntiVirus Definition Watcher (DefWatch)<Disable the service name and/or the name in brackets.

SAVRoam (SavRoam)<Disable the service name and/or the name in brackets.

Symantec AntiVirus

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Rtvscan.exe
SavRoam.exe
DefWatch.exe
ccSetMgr.exe
ccPwdSvc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Symantec AntiVirus<Delete the entire folder.
C:\Program Files\Common Files\Symantec Shared<Delete the entire folder.

Now try running the removal tool again.

Reboot into normal mode and rehide your protected OS files.

Let me know the results.

Regards Howard :)

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok I did everything you said and it is still not uninstalled.The norton removal tool is still telling me to use the add remove programs first, and I try it there and it is still rolling back after trying to uninstall. I deleted the files and everything that I was suppose to. In my new HJT log there is the savroam missing file and I check to fix that and it is still there. I have tried to fix it in hjt 4 times and rebooted after I told it to fix it and it said it was done. It is still there. Not sure what is going on but I have tried everything to get it off the computer. It is still doing the windows installer when right clicking on icons.

Thanks,
Kel
 
Ok, lets try this from normal mode.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

SAVRoam (SavRoam)<Disable the service name and/or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

SavRoam.exe

Close task manager.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard :)

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

Attachments

  • avengerscript.txt
    144 bytes · Views: 5
Ok I did what you said in normal mode and it is still there, I don't know what is going on. Also in HJT when you look all the things that we fixed are in the backup, I deleted them from there and everytime I run hjt they are there in backup again. Symantec still won't uninstall, and I tried the remover tool, and add remove programs. I am not sure what to do or how to fix what I have going on. Here are the logs from after I did avenger in normal mode and used the script that was attached to the last message.

Thanks again ,
Kel
 
Your HJT log is clean and shows no signs of any Symantec/Norton entries.

To get rid of the symantc/Norton entry in your add remove programmes, do the following.

Run the Ccleaner programme as per step 9 of the instructions in this thread HERE. With the Ccleaner programme still open, click the tools button, highlight the Symantec/Norton entry and click the delete entry button, click ok and close Ccleaner.

See if that helps.

Regards Howard :)

This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
791
losdavos
losdavos
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
460
eriksnyman1
E
orangeshadow
Games lag and freeze in 15-20 minute intervals.
Replies
0
Views
453
orangeshadow
orangeshadow

Latest posts

Back