TechSpot

Pretty Pretty Please help me(hjt log) Virus?

By greeneyez07
Apr 28, 2007
  1. I don't know what to do, I have tried everything and I am still having trouble. First off I keep getting a message from windows livecare that I have a trojan something win32 Adialer_gen.b or something like that. It keeps saying it quarantined it but it keeps coming up that I have it. My computer is running awful and keeps freezing constantly. Here is my first HJT log. I also downloaded cwshredder but I have not ran it yet. My internet explorer also was constantly changing my homepage to google and kept redirecting me to different search pages when I search for something on yahoo. I downloaded IE 7 and that seems to have blocked that from happening. I still know that I have something going on though.

    Any help Pretty please with sugar on top would help........
    Kel
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is infected with malware and you`re running an outdated version of HijackThis.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    Ok I did all the things you said and the avg anti-rootkit thing found

    C:\WINDOWS\system32:lzx32.sys Hidden Driver File



    Thanks for the help so far, what do I need to do next?

    Thanks again,
    Kel
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You have not posted HijackThis, ComboFix and AVG Antispyware logs as attachments to this thread. Please post the requested logs as they will help us to diagnose the problems on your system and fix them.

    Please see this thread HERE for a guide to attaching files on a thread.

    Have AVG Anti Rootkit remove that entry it detected.


    Regards,
    Your friendly Momok =)
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The lzx32.sys is part of the Rustock rootkit. Have AVG Antirootkit fix that entry, then post all the requested logfiles.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    Ok if I attached everything right, here is the logs, let me run the anti rootkit thing again and see if that one thing comes up again. I followed the instructions step by step to clean the computer, but I missed the steps that were on the other post on that page, so I went back and redid all the steps again. Here are the logs you asked for.

    Thanks again for your help, if they didnt attach I will try again.

    Kel
     
  7. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    I also just redid the anti rootkit thing and it didn't find anything this time. Let me know if you see anything else on there that needs to be taken care of......

    Thanks so much again,
    Kel
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    One more thing, I also have another weird problem. I had symantec on the computer and tried to uninstall it because it didn't seem to be finding things, and it was updated. It won't let me uninstall it, it just runs the windows installer and says that it is uninstalling then it starts reversing and going backwards and doesn't uninstall it. Then when I right click any icon on the desktop the windows installer comes up and tries to install symantec. I don't know what is going on with that. It is still doing that, I just tried to see if it had quit doing that when I right click an icon. I do have symantec disabled now since it won't let me uninstall it, and I am using the avg antivirus instead of symantec.

    Thanks for any help,
    Kel
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Checkout this post HERE for instructions on how to remove Symantec/Norton.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    Oops got it...wasnt logged in.....

    Kel

    Ok here are the 2 logs you asked for from avenger and a new hjt log.

    thanks again.....just let me know if there is anything else I need to do....

    THANKS,
    Kel
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Easy SpyRemover<This programme is of dubious repute.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    winlogon32.exe
    EasySpyRemover.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-000000000000} - C:\Documents and Settings\eArmyU Student\429191132.dll (file missing)

    O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll (file missing)

    O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\Easy SpyRemover\EasySpyRemover.exe /smart

    O4 - HKLM\..\Policies\Explorer\Run: [7H28X9M91L] C:\WINDOWS\winlogon32.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\winlogon32.exe
    C:\Program Files\Easy SpyRemover<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    Ok here is the newest hjt log after I did the last steps you told me to do.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this entry.

    O2 - BHO: (no name) - {36645342-9475-2663-166A-466739207346} - C:\WINDOWS\system32\ipv6mops.dll (file missing)

    Other than the above inactive entry, your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    Ok here is the last hjt log after I checked it to fix that last file. Also one more question, I hope anyways. I went to that Norton's/Symantec removal tool and tried to do it and it said I had to use the Add Remove Programs first and do it there. I tried to do that again, and it still acted like it was removing it but then the progress thing started going backwards and it is still there and windows installer is still trying to install it everytime I right click on anything on the desktop. Anything else I might be able to try there?

    Thanks again so so so so so so much for your help so far, you are AWESOME!!!!!!!

    Kel
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, let`s try the following.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Symantec Password Validation (ccPwdSvc)<Disable the service name and/or the name in brackets.

    Symantec Settings Manager (ccSetMgr)<Disable the service name and/or the name in brackets.

    Symantec AntiVirus Definition Watcher (DefWatch)<Disable the service name and/or the name in brackets.

    SAVRoam (SavRoam)<Disable the service name and/or the name in brackets.

    Symantec AntiVirus

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Rtvscan.exe
    SavRoam.exe
    DefWatch.exe
    ccSetMgr.exe
    ccPwdSvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Symantec AntiVirus<Delete the entire folder.
    C:\Program Files\Common Files\Symantec Shared<Delete the entire folder.

    Now try running the removal tool again.

    Reboot into normal mode and rehide your protected OS files.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    Ok I did everything you said and it is still not uninstalled.The norton removal tool is still telling me to use the add remove programs first, and I try it there and it is still rolling back after trying to uninstall. I deleted the files and everything that I was suppose to. In my new HJT log there is the savroam missing file and I check to fix that and it is still there. I have tried to fix it in hjt 4 times and rebooted after I told it to fix it and it said it was done. It is still there. Not sure what is going on but I have tried everything to get it off the computer. It is still doing the windows installer when right clicking on icons.

    Thanks,
    Kel
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, lets try this from normal mode.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    SAVRoam (SavRoam)<Disable the service name and/or the name in brackets.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    SavRoam.exe

    Close task manager.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     

    Attached Files:

  19. greeneyez07

    greeneyez07 TS Rookie Topic Starter

    Ok I did what you said in normal mode and it is still there, I don't know what is going on. Also in HJT when you look all the things that we fixed are in the backup, I deleted them from there and everytime I run hjt they are there in backup again. Symantec still won't uninstall, and I tried the remover tool, and add remove programs. I am not sure what to do or how to fix what I have going on. Here are the logs from after I did avenger in normal mode and used the script that was attached to the last message.

    Thanks again ,
    Kel
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean and shows no signs of any Symantec/Norton entries.

    To get rid of the symantc/Norton entry in your add remove programmes, do the following.

    Run the Ccleaner programme as per step 9 of the instructions in this thread HERE. With the Ccleaner programme still open, click the tools button, highlight the Symantec/Norton entry and click the delete entry button, click ok and close Ccleaner.

    See if that helps.

    Regards Howard :)

    This thread is for the use of greeneyez07 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...