TechSpot

The 8th Step

By icec0rpse
Jul 3, 2009
  1. I'm on my Sister's Hp Pavilion 750c.

    Heres the specs


    Symptoms:
    -- Slow starting iexplore.exe
    -- I know this HDD hasn't been defragmented for a long time - 13gb remaining hard disk space. It had 5gb remaining previously.
    -- Couldn't open pagefile.sys during Avira-scan. I know what pagefile is used for but I worry that it could be a problem.
    -- Could not update to SP3 on WinXP Home Edition
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have malware in the restore point s so don't do a System Restore while cleaning. We'll remove the old restore point after cleaning.

    You had the DNS Changer malware which means you need to reset the router as follows:

    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

    You have malware in temp file and they need to be deleted:

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    FC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. . TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please reopen Hijack This to "do system scan only"
    Check the following entries of present. Note: Do not click on Fix Checked until; all in the list have been checked:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
    R1- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn;*.local
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)


    Close all Windows except HijackThis and click on "Fix Checked

    To summarize:
    [1] Reset router, running Mbam as instructed.
    [2] Run TFC
    [3] Do online scan with Eset Nod32
    [4] Remove HijackThis entries

    Attach logs and report for #1, 2 and do a rescan with HJ and include new log.

    I will give you instructions for complete removal of WeatherBug, which includes the MyWebSearch Toolbar in the next reply.
     
  3. icec0rpse

    icec0rpse TS Rookie Topic Starter

    Sorry for my packet loss in my response. department.com.

    I followed the instructions emphatically.
    It's been awhile, thus, this computer may contain additional infection. Thusly, I present thee with thy most infamous hijack.log to make sure.

    *Salutes*
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am temporarily not helping with malware cleaning.

    But since it's been a month, I would most likely tell you to start over HERE.

    ASAP.

    You cannot string the logs out like this. They are laid out in an order that should be followed at the same time.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...