HELP! major worm hidden partition, dual fifo
- Thread starter logikz
- Start date
momok
Posts: 2,127 +6
Hi logikz,
Please do not copy or paste your logs. Instead, attach the .log or .txt files to your thread. Your pasted logs shall very soon be removed by the moderator.
Meanwhile, I request that you do the following.
Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer
Important: Please read this thread HERE before you decide whether to clean or reformat your system.
Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer. The thread provides a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Please do not copy or paste your logs. Instead, attach the .log or .txt files to your thread. Your pasted logs shall very soon be removed by the moderator.
Meanwhile, I request that you do the following.
Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'nwprovau.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer
Important: Please read this thread HERE before you decide whether to clean or reformat your system.
Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer. The thread provides a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
Your logs appear to be clean already.
Please download and run CCleaner via step 9 of the instructions HERE.
Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.
Should you have any further problems, please post in this thread.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your logs appear to be clean already.
Please download and run CCleaner via step 9 of the instructions HERE.
Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.
Should you have any further problems, please post in this thread.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
xanimefanx
Posts: 82 +0
hmm well its not completley clean you have
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.
Momok should be able to help you with removing those files
although its not a virus i think it should free up some space
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.
Momok should be able to help you with removing those files
although its not a virus i think it should free up some space
momok
Posts: 2,127 +6
Hi,
Do not fix those two files.
They are legit, but appears to be missing because of a HijackThis bug. There are several other files that often appear that way in HijackThis too because of the bug.
You asked for a relook at the scan. I've checked your logs and they appear to be clean.
If you wish to double confirm, you may post fresh ComboFix, HijackThis and AVG Antispyware logs from normal mode.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Do not fix those two files.
They are legit, but appears to be missing because of a HijackThis bug. There are several other files that often appear that way in HijackThis too because of the bug.
You asked for a relook at the scan. I've checked your logs and they appear to be clean.
If you wish to double confirm, you may post fresh ComboFix, HijackThis and AVG Antispyware logs from normal mode.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
lots of stuff about migration when i never use these things. I get errors about being in 64 bit when i had formatted that OS off my system along with everything else. I did a format and it still registers 64 bit system. I get information about my "Computer Configuration "undocked"" When i booted another computer's harddrive up with this as a slave it shows both a windows folder and a windows.0 folder. It has to do with VolSnap i believe. Also a hidden partition maybe of 12 bit format so i cant read it. There is always a registry entry even on fresh installation called "Mr.Enigma" and another "redbook" I also read entries about it using "Whistler" and "WinSafer". i attatched a few things assosiated i believe.
This was found in \windows\system32\PreInstall\WinSE\wxp_x86_0409_v1
second file is found at C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles
I completely reinstalled / formatted on 5/16/2007 at appx 11:00 pm. attatched drivers list
and when i delete files it goes to both a \Recycler folder on both my C:\ and E:\ drives. this is all very strange.
This was found in \windows\system32\PreInstall\WinSE\wxp_x86_0409_v1
second file is found at C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles
I completely reinstalled / formatted on 5/16/2007 at appx 11:00 pm. attatched drivers list
and when i delete files it goes to both a \Recycler folder on both my C:\ and E:\ drives. this is all very strange.
momok
Posts: 2,127 +6
Hi,
You have some nasties on your system. Please follow the instructions.
Important: Please read this thread HERE before you decide whether to clean or reformat your system.
Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
Also, please let me know the results of the AVG Antirootkit scan
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You have some nasties on your system. Please follow the instructions.
Important: Please read this thread HERE before you decide whether to clean or reformat your system.
Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
Also, please let me know the results of the AVG Antirootkit scan
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Fresh logs posted. if this helps, a while ago i had flashed my bios with this program on here. I was given a corrupted version of windows XP professional which i installed. Lots of problems arose. I cant installed avg anti-spyware because it says im running 64 bit OS. I have already reinstalled windows, here is fresh logs. The virus is still on my system, those nasties were also from a near fresh install, they are packaged in with volsnap, or possibly some .xml datafactory.
if it helps, after the fresh reinstall my pagefile stayed the same size, and is evergrowing. i have a couple different system folders, from these names C:\Windows\System32 and C:\windows\SYSTEM32
strageland eh? every computer around me seems to be infected with this virus, it self installs on CDs and floppies, it seems neverending...
this is the boot manager that i cannot get rid off. Once this arrived, the virus arrived.
panda scan
if it helps, after the fresh reinstall my pagefile stayed the same size, and is evergrowing. i have a couple different system folders, from these names C:\Windows\System32 and C:\windows\SYSTEM32
strageland eh? every computer around me seems to be infected with this virus, it self installs on CDs and floppies, it seems neverending...
this is the boot manager that i cannot get rid off. Once this arrived, the virus arrived.
panda scan
Phantasm66
Posts: 4,909 +8
A hidden partition???? Are you yanking my chain??!
If you've actually got A HIDDEN PARTITION on your machine that contains some kind of rootkit technology or something, then what are you waiting for...
FORMAT AND REINSTALL!!
If you've actually got A HIDDEN PARTITION on your machine that contains some kind of rootkit technology or something, then what are you waiting for...
FORMAT AND REINSTALL!!
momok
Posts: 2,127 +6
Hi,
Since you've identified that the problem arises from your CD, I would advise you to get a new one (clean and legit one) and do a reformat and reinstall. It would be the most straightforward way since your OS was also just recently installed and it doesnt hurt to take the safest route.
However if you'd like to clean your system, I'll try my best to help you. Your ComboFix log is just filled with tonnes of dlls and executables which normally do not even appear in the average user's system log. It will take some time to sort out the bad files to clean.
Let me know your decision again.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Since you've identified that the problem arises from your CD, I would advise you to get a new one (clean and legit one) and do a reformat and reinstall. It would be the most straightforward way since your OS was also just recently installed and it doesnt hurt to take the safest route.
However if you'd like to clean your system, I'll try my best to help you. Your ComboFix log is just filled with tonnes of dlls and executables which normally do not even appear in the average user's system log. It will take some time to sort out the bad files to clean.
Let me know your decision again.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
The problem is that i installed a corrupted version ONCE. My discs i am currently using are factory windows CD's. i have home edition sp2, home edition, and xp pro x64. All with legit CD keys and the CD's are not burnt or nething, they are straight from the company. I think cleaning would be the best idea because after format / reinstall im left at the same place. another prob is that i get an internet multicast directed at port 1600 from my router all the time, dunno what that is. If you could help me i would appreciate it, ive been combating this virus /worm / trojan / backdoor for long times, and it has all my computers, harddrives infected along with everyone i know..
momok
Posts: 2,127 +6
Hi,
In that case it would be the right decision to do the format. As for your other computers and hard drives, the extent of infection may vary, even if they are similar. I'll have to look at some ComboFix and HJT logs before I can guide you through cleaning.
I'm not sure if the internet port redirection is a result of the infection. When you have completed your fresh install of Windows, let us know if it still occurs.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
In that case it would be the right decision to do the format. As for your other computers and hard drives, the extent of infection may vary, even if they are similar. I'll have to look at some ComboFix and HJT logs before I can guide you through cleaning.
I'm not sure if the internet port redirection is a result of the infection. When you have completed your fresh install of Windows, let us know if it still occurs.
Regards,
Your friendly Momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
You have posted mostly irrelevant logs. We do not read those logs here. Please post only the requested logs from the following instructions.
Please visit Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs from normal mode as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed.
Also, please let me know the results of the AVG Antirootkit scan
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You have posted mostly irrelevant logs. We do not read those logs here. Please post only the requested logs from the following instructions.
Please visit Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs from normal mode as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed.
Also, please let me know the results of the AVG Antirootkit scan
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Phantasm66
Posts: 4,909 +8
Download a linux disk.
Boot from it, but choose Rescue mode.
then (assuming you have a regular HDD controller) do this:
dd if=/dev/zero of=/dev/hda
that will write zeros all over your drive.
once finished (it should take ages) repartition, format and install again.
It should work, I don't know anything that can survive a dd from dev zero.
Boot from it, but choose Rescue mode.
then (assuming you have a regular HDD controller) do this:
dd if=/dev/zero of=/dev/hda
that will write zeros all over your drive.
once finished (it should take ages) repartition, format and install again.
It should work, I don't know anything that can survive a dd from dev zero.
momok
Posts: 2,127 +6
Hi,
If you wish to try the format once more, do go ahead with Phantasm66's instructions. However, if you wish to have a go at cleaning your system, I will do my best to guide you. But firstly you will need to have to follow the instructions.
The 15 step preliminary removal guide is supposed to equip us with 3 logs: AVG Antispyware, ComboFix and HijackThis. Until now, I have only seen one. Also, I need to know what the AVG Anti Rootkit scan turns up, if anything.
Only then can we provide any targetted step by step removal guide for you. If you wish to clean your system but have not completed the steps in our preliminary removal guide, do continue to complete them before providing us with the three logs and the anti rootkit scan results.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
If you wish to try the format once more, do go ahead with Phantasm66's instructions. However, if you wish to have a go at cleaning your system, I will do my best to guide you. But firstly you will need to have to follow the instructions.
The 15 step preliminary removal guide is supposed to equip us with 3 logs: AVG Antispyware, ComboFix and HijackThis. Until now, I have only seen one. Also, I need to know what the AVG Anti Rootkit scan turns up, if anything.
Only then can we provide any targetted step by step removal guide for you. If you wish to clean your system but have not completed the steps in our preliminary removal guide, do continue to complete them before providing us with the three logs and the anti rootkit scan results.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
Do not delete any files on your own without supervision. Those files are legit and are not japanese. For more information on one of them, please see HERE.
That said, I really really need to see the log files from the instructions that I have given you. They may seem intimidating, but almost every user who went through that process and recieved further guidance from us in the cleaning process managed to rid their system of infections.
It's been 11 posts since I've asked you to go through the steps once more, and I've repeated myself three times. Please post the requested logs or nobody on this forum will be able to help you much.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Do not delete any files on your own without supervision. Those files are legit and are not japanese. For more information on one of them, please see HERE.
That said, I really really need to see the log files from the instructions that I have given you. They may seem intimidating, but almost every user who went through that process and recieved further guidance from us in the cleaning process managed to rid their system of infections.
It's been 11 posts since I've asked you to go through the steps once more, and I've repeated myself three times. Please post the requested logs or nobody on this forum will be able to help you much.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
You are running an outdated version of HijackThis.
You can obtain the latest version from the link in my signature.
Have HijackThis fix the following entries:
F2 - REG:system.ini: UserInit=userinit (filesize 26112 bytes, MD5 B5FEB3B971A8B8C81CE9DE65031A87E5)
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-IDCDT.exe" /REG (filesize 663040 bytes, MD5 4CC9F9220262154F4B72821C74AE971F)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
You have not posted all the requested logs. (ComboFix and AVG Antispyware)
Please do so in your next reply, including a fresh HijackThis log.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You are running an outdated version of HijackThis.
You can obtain the latest version from the link in my signature.
Have HijackThis fix the following entries:
F2 - REG:system.ini: UserInit=userinit (filesize 26112 bytes, MD5 B5FEB3B971A8B8C81CE9DE65031A87E5)
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-IDCDT.exe" /REG (filesize 663040 bytes, MD5 4CC9F9220262154F4B72821C74AE971F)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
You have not posted all the requested logs. (ComboFix and AVG Antispyware)
Please do so in your next reply, including a fresh HijackThis log.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
New logs, i dont have windows xp 32bit im using 64 bit. i have some logs, but combofix doesnt work.
more logs, if you can help me to clean or get a clean install let me know.
this one is strange
The Plug and Play operation cannot be completed because a device driver is preventing the device from stopping. The name of the device driver is listed as the vetoing service name below.
Vetoed device: STORAGE\VOLUME\1&30A96598&0&SIGNATURE22F022FOFFSET7E00LENGTH18713FB800
Vetoing device: STORAGE\Volume\1&30a96598&0&Signature22F022FOffset7E00Length18713FB800
Vetoing service name: FileSystem\Ntfs
Veto type 6: PNP_VetoDevice
When Windows attempts to install, upgrade, remove, or reconfigure a device, it queries the driver responsible for that device to confirm that the operation can be performed. If any of these drivers denies permission (query-removal veto), then the computer must be restarted in order to complete the operation.
User Action
Restart your computer.
i really want to fix this problem, its been going on for months and months. should i find 32 bit?
more logs, if you can help me to clean or get a clean install let me know.
this one is strange
The Plug and Play operation cannot be completed because a device driver is preventing the device from stopping. The name of the device driver is listed as the vetoing service name below.
Vetoed device: STORAGE\VOLUME\1&30A96598&0&SIGNATURE22F022FOFFSET7E00LENGTH18713FB800
Vetoing device: STORAGE\Volume\1&30a96598&0&Signature22F022FOffset7E00Length18713FB800
Vetoing service name: FileSystem\Ntfs
Veto type 6: PNP_VetoDevice
When Windows attempts to install, upgrade, remove, or reconfigure a device, it queries the driver responsible for that device to confirm that the operation can be performed. If any of these drivers denies permission (query-removal veto), then the computer must be restarted in order to complete the operation.
User Action
Restart your computer.
i really want to fix this problem, its been going on for months and months. should i find 32 bit?
momok
Posts: 2,127 +6
Hi,
I must reiterate for the final time. I do not need to see all these log files. I only need three: HijackThis, ComboFix and AVG Antispyware.
It also appears more and more to me that your problem may not be malware related. Several of your HijackThis entries show (file missing) for system files and to be honest I have no idea why is that so for your system.
Everytime I see your HijackThis log I see new software. I understand your concerns with the system, but please do not go around downloading more and more tools for your system while we are still in the midst of fixing it.
It sounds like you have several problems which do not seem linked to malware infection. If you have a back up of your important files and documents, I would actually suggest a reformat. The fact that I found a commercial keylogger on your system increases my conviction that you should do so. If you do banking on your system, please contact your bank and inform them that your information may have been compromised.
That said, if you still wish to have a go at cleaning your system, please do the following.
Download Combofix from the link in my signature and replace your existing Combofix.exe file.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Logical Disk Manager Administrative Service
Event Log
HTTP SSL
IIS Admin Service
IMAPI CD-Burning COM Service
Distributed Transaction Coordinator
FTP Publishing Service
Message Queuing
Net Logon
NT LM Security Support Provider
NVIDIA Display Driver Service
Plug and Play
IPSEC Services
Protected Storage
Remote Desktop Help Session Manager
Security Accounts Manager
SNMP Trap Service
Virtual Disk Service
Volume Shadow Copy
WMI Performance Adapter
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
HYENA < this is a known commercial keylogger
Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
hyena.exe
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
F2 - REG:system.ini: UserInit=userinit (filesize 26112 bytes, MD5 29A1877F2D0EACFF20B6507A3C00F31B)
O1 - Hosts: ECHO is off.
All O23 entries.
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
D:\Program Files (x86)\Hyena\
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. I do not need other logs.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I must reiterate for the final time. I do not need to see all these log files. I only need three: HijackThis, ComboFix and AVG Antispyware.
It also appears more and more to me that your problem may not be malware related. Several of your HijackThis entries show (file missing) for system files and to be honest I have no idea why is that so for your system.
Everytime I see your HijackThis log I see new software. I understand your concerns with the system, but please do not go around downloading more and more tools for your system while we are still in the midst of fixing it.
It sounds like you have several problems which do not seem linked to malware infection. If you have a back up of your important files and documents, I would actually suggest a reformat. The fact that I found a commercial keylogger on your system increases my conviction that you should do so. If you do banking on your system, please contact your bank and inform them that your information may have been compromised.
That said, if you still wish to have a go at cleaning your system, please do the following.
Download Combofix from the link in my signature and replace your existing Combofix.exe file.
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how HERE
Next turn on "Show all files and folders, including hidden and system". See how HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
Logical Disk Manager Administrative Service
Event Log
HTTP SSL
IIS Admin Service
IMAPI CD-Burning COM Service
Distributed Transaction Coordinator
FTP Publishing Service
Message Queuing
Net Logon
NT LM Security Support Provider
NVIDIA Display Driver Service
Plug and Play
IPSEC Services
Protected Storage
Remote Desktop Help Session Manager
Security Accounts Manager
SNMP Trap Service
Virtual Disk Service
Volume Shadow Copy
WMI Performance Adapter
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
HYENA < this is a known commercial keylogger
Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
hyena.exe
After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
F2 - REG:system.ini: UserInit=userinit (filesize 26112 bytes, MD5 29A1877F2D0EACFF20B6507A3C00F31B)
O1 - Hosts: ECHO is off.
All O23 entries.
Close HJT.
Navigate in Windows Explorer and delete the following files and folders in bold.
D:\Program Files (x86)\Hyena\
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. I do not need other logs.
Regards,
Your friendly momok =)
This thread is for the use of logikz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Similar threads
Latest posts
-
Enthusiasm for electric vehicles wanes among US buyers, despite new choices- GrayDragon replied
-
FAA finally replacing floppy disks and Windows 95 in air traffic control systems- Squid Surprise replied
