TechSpot

Spyware/Malware Problems, Please Help

By JamesW
Dec 26, 2008
  1. I completed the 8 step process and the files are attached. I got a few viruses a few weeks back and I am trying to fix them, but I do not know if they are completely gone. The viruses I got were Vundo, and Darksma, and Internet Speed Monitor.iCheck. Thank you.
     
  2. gillianbrown

    gillianbrown Banned Posts: 141

    You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

    Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

    Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

    You can now close the HJT directory.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {27203D7C-A218-4500-9903-B1461C30D9B4} - C:\WINDOWS\system32\iifcDTkj.dll (file missing)

    O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\Me\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe

    O20 - AppInit_DLLs: eicbuq.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\system32\eicbuq.dll


    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let us know if you're still having problems.
     
  3. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    Thank you very much for helping me, and I have a few questions. I only have one account on my computer and that is the administrator account. In order to boot into safe mode under an account that is not administrator will I have to create a new account, log off, sign into that account, then reboot? If so, will I have to download HJT for the new account also?
     
  4. gillianbrown

    gillianbrown Banned Posts: 141

    Normally, when you attempt to boot into safe mode it gives you the choice of using either your normal account name or the Administrator account.

    However, if the only account presented to you is the admin account, then by all means use that.
     
  5. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    Ok, I followed all the directions you gave me, and I have posted a new log. I found

    O2 - BHO: (no name) - {27203D7C-A218-4500-9903-B1461C30D9B4} - C:\WINDOWS\system32\iifcDTkj.dll (file missing)

    O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\Me\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe

    O20 - AppInit_DLLs: eicbuq.dll

    in HJT and fixed all problems, but I did not find C:\WINDOWS\system32\eicbuq.dll

    Do you have any more suggestions? Once again, thank you for helping me.
     
  6. gillianbrown

    gillianbrown Banned Posts: 141

    Your HJT log is now clean. Don't worry that you were unable to find the eicbuq.dll file.

    Unless you're still having problems, you should be good to go.
     
  7. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    Thank you very much for the quick and helpful responses
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    James, please allow me to mention some things:

    You are running three security programs that include antivirus. you need to decide which you want to keep and uninstall the rest. they are:
    Avira:
    Avast:
    McAfee:
    I suggest you proceed as follows:
    Decide which program you want to keep- only one antivirus program should be running. Then:
    Please re-open HiJackThis and scan.Check the boxes next to all the entries for the program you do NOT want to keep. Use the groups above that I have set up for you.

    Then close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode.

    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all the processes for the programs you do NOT want to keep.

    Start> Run> services.msc> do the following on each of the 023 Services listed above for the program you do NOT want to keep;
    Right click on the Service> Properties> Set the startup type to Disabled> Stop the Service.

    Control Panel>Add/Remove Programs> highlight and uninstall the program you do NOT want to keep.

    Reboot into Normal Mode.***NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

    One more thing. You have SuperAntispyware running:
    but you did not provide a log. Please run a scan with the program, followed by a new scan with HijackThis and attach both logs.
     
  9. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    Okay

    I am going to be busy today, so I will complete the instructions by tomorrow. I also have a few questions, I thought I uninstalled McAfee earlier, but I guess not. In order to remove it do I just need to open HJT and fix the file that you gave me? Also, I thought I needed SuperAntiSpyware but is fixing the file you gave me just turning it off? Sorry, I am not very good with computers and I just have a few questions. Thank You.
     
  10. gillianbrown

    gillianbrown Banned Posts: 141

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Download the McAfee Removal Tool and Save to the desktop> don't run it yet.
    You also need to decide between Avira and Avast.

    I want to to scan with SuperAntispyware and attach the log, per these directions:
    SAS:
    Boot into safe Mode:
    Start> Run> msconfig> enter> Selective startup> Startup tab> UNCHECK all McAfee related processes> Apply> OK>

    You can also remove either the Avast processes or Avira> which ever one you have decided NOT to keep in the same way.

    Now double click on the removal setup on the desktop and run.

    When through, reboot into Normal mode***Note: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
     
  12. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    The SuperAntiSpyware log is attached. I will remove McAfee, but I was wondering if I should keep Avira or Avast. Everyday I get a few incoming trojan viruses that Avira detects and blocks, but Avast does not shown any signs of use. Which one would you suggest in keeping? Also, on the internet I only visit websites such as facebook and youtube, but I still get incoming attacks from viruses. Is this normal?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    How do you know that Avast isn't just doing it's job and preventing the 'viruses or Trojans' from getting on the system. The fact that you have 2 'competing' AV programs is the reason for this.

    You antivirus program is not going to prevent scanning that may have malware. But when properly configured and by keeping updated, it should prevent the viruses from getting on the system.

    Keep in mind that we now lean more toward the word 'malware' rather than viruses. This includes viruses, Worms, Trojans, pests, spyware and adware. And while an antivirus program may WARN you of malware, if it's not in the family of viruses, Worms Trojans, it's not going to remove it. That why you should have firewall, an antivirus program and at least twp spyware/adware programs for layered protection.

    We tend to lean more toward Avast, but Avira is also good. The important thing is to get the system down to ONE antivirus program as more than that can cause a conflict which can leave the system more vulnerable.

    I will check one more HijackThis log if wanted, after you get down to only one AV program. SAS is clean. How is the system working? If it is slow, it's because you have way too many programs and processes loading at startup.

    Of all the 04 processes loading at boot, the only ones you need are:
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe>> touchpad for laptop
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
     
  14. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    I think I removed McAfee and Avast, here is the HJT log. I was wondering, do I have a firewall, or should I install COMODO? Thank you
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, no malware. If you ever decide your startup, surfing and shutdown are too slow, think about taking those programs I mentioned off of startup.

    Yes, you should have a firewall: Either/or, not both.
    Recommended Free Firewall:
    Comodo:http://www.personalfirewall.comodo.com/
    Zonealarm:http://www.zonealarm.com/store/content/catalog/products/zonealarm_free_firewall.jsp

    The cleaning programs can be removed:
    Clear your existing System Restore points and establish a new clean restore point:
    Quote:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
    * Next, go to Start > Run and type in cleanmgr
    "Ensure the selection is on C:\ and click on OK"-
    * Select the *More options* tab
    * Choose the option to clean up System Restore and OK it.
    * This will remove all restore points except the new one you just created.
     
  16. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    Thank you so much. I downloaded COMODO earlier today and things seem to be working great. Only one thing is that after I click on the OTCleanIt link and save it, I recieve a notification that says that there is no publisher, and the software could be harmful to my computer. When I clicked run anyway, COMODO immediately gave me a warning about the dangers of the software, but should I carry on?
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  18. JamesW

    JamesW TS Rookie Topic Starter Posts: 23

    Okay, great, I think everything is running smoothly. Thank you for the help bobbye, and gillianbrown,who seems to have gotten banned....for given false advice maybe? Hopefully not to me.
     
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    No, he was banned for internal forum issue, nothing to do with his posts on the forum
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Let us know if you need more help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...