HJT Log

[howard_hopkinso]

Yes, follow the manual removal instructions.

Post a fresh HJT log when done.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[d00dette]

Hi Howard,

I am not sure how to remove processes (pressing ctrl+alt+delete does not show them). I searched in regedit and deleted files with the same name, but that wouldn't get rid of the processes, right? I am also not sure how to unregister files. Could you explain how to do both of these?

I removed the registry values (pressed delete) for the files which I could find in regedit. Some were not there, but I guess that's nothing to worry about?

I could not detect the files on Windows Search - do I search for them again in the registry?

 

[howard_hopkinso]

To unregister a file do the following.

EXAMPLE ONLY. Click start/run and type regsvr32 /u example.dll and press the enter key.

Don`t worry that the entries aren`t there in task manager.

Hope this helps.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[d00dette]

Hi Howard,

When I tried to unregister the file, I got the message:

Load Library ("MyToolBar.dll") failed - The specified module could not be found.

Any thoughts?

I'm still not sure how to delete processes, how to delete specific files I can't find in Windows Search, or whether it matters that some registry values didn't come up in regedit.

Cheers,

Sophie

 

[howard_hopkinso]

I actually think the Mytoolbar.dll file is gone. For some reason the entry in your HJT log is still there despite it saying file missing.

Try this and don`t worry if you can`t find any specific entries.

Remove Toolbar888 processes: Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

alfa.exe
Activate.exe
mc-110-12-0000228.exe


Close task manager.



Remove Toolbar888 registry values: Click start/run and type regedit into the run box and press the enter key.

Navigate to the following registy entries and in the righthand pane delete them.

CBCC61FA-0221-4ccc-B409-CEE865CACA3A

Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\CBCC61FA-0221-4CCC-B409-CEE865CACA3A
Software\Microsoft\Internet Explorer\Toolbar\CBCC61FA-0221-4ccc-B409-CEE865CACA3A

MyToolBar

C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B

MyToolBar.MyToolBarObj

MyToolBar.MyToolBarObj.1

569304BA-83ED-4CFF-AC26-BE3E482F7208

C004DEC2-2623-438e-9CA2-C9043AB28508

Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\C004DEC2-2623-438E-9CA2-C9043AB28508
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\90459868-07CF-1033-0703-030122020001
SOFTWARE\Microsoft\Internet Explorer\Toolbar\C004DEC2-2623-438e-9CA2-C9043AB28508


Unregister Toolbar888 DLL files: Click start/run and type regsvr32 /u MyToolBar.dll and press the enter key.



Locate and and Delete these Toolbar888 files(if there)

alfa.exe
MyToolBar.dll
Activate.exe
mc-110-12-0000228.exe

Post a fresh HJT log when done.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[d00dette]

Toolbar888 no longer appears in my HJT log, which is good.

I deleted the values listed - I pressed delete once, so it says 'value not set', and if I try to press delete again an error message comes up. Is this right?

This message still comes up when I try to unregister the Toolbar888 files:

Load Library ("MyToolBar.dll") failed - The specified module could not be found.

Is this a problem?

I still don't know how to find the files at the bottom of your last post, since they don't appear in Windows Search. Is there a better way to find them?

The processes mentioned don't come up in Task Manager - does that mean they are not on my system?

 

[howard_hopkinso]

Like I said, don`t worry if some of the files can`t be found.

Please post a final HJT log. If as you say the entry is no longer there and everything else is ok, I think we can say this is solved.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[d00dette]

I'm afraid I don't think it's all gone. Spyware still picks up high risk trojan downloaders; i get firewall messages about IP 0.0.0. trying to connect to my computer; i get firewall messages about my computer trying to run NetBios sessions and connect to other IP addresses; my computer shuts down if i leave it for a little while. Sorry! Any advice whatsoever is still greatly appreciated.

Please find attached the recent HJT and Spyware logs.

 

[howard_hopkinso]

Have HJT fix this inactive entry.

O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

Other than that your HJT log is clean.

Delete the Avenger backups and the Killbox backups.

Download and run these four tools in order.

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

http://www.atribune.org/content/view/24/2/

http://www.atribune.org/content/view/28/

Once you`ve done that, do the following.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run a full system scan with your antivirus programme and delete whatever it finds. This includes anything in quarantine.

Run Ccleaner as per the instructions in this thread HERE.

Delete all files in AVG antispyware quarantine.

Delete these bold files.

C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
C:\Documents and Settings\Sophie Erskine\Local Settings\Temp\Temporary Internet Files\Content.IE5\0A2LM56Y

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post fresh HJT and AVG Antispyware logs.

Let me know what problems you`re still having if any.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[d00dette]

For some reason, I can't load the 'Manage Attachments' window, so I'm gonna post my HJT and Spyware logs here.

 

[d00dette]

I'm not getting any more weird firewall messages, and AVG Anti-Spyware doesn't detect any high risk items any more, which is good.

I don't know how to delete the Avenger backup - can you explain?

I couldn't find the bold files in your post. I assume that's a good thing?

Odd viruses keep on popping up. I have a feeling it might be something to do with this file:

C:\eywblbby

which was created at the same time as my computer originally got infected. Other files in the C:\ directory without a folder are:

C:\avenger.txt
C:\AVG7QT.dat
C:\rapport.txt
C:\internet explorer wallpaper.bmp
C:\deskbar_e34
C:\vundofix.txt

but those are all safe, I assume? Shall I delete the suspicious one above?

 

[howard_hopkinso]

Uninstall Avenger and delete all it`s backups.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Ps: I have removed some of your previouse attachments. Hopefully you will now be able to attach fresh logs.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Edit: Our posts have crossed. Go to where you put Avenger and delete it, including any backups.

 

[d00dette]

I just deleted every file called 'avenger' in Windows Search. Here are the logs.

My computer has started to run quite slowly - it's got quite a lot on it these days!!

 

[howard_hopkinso]

According to Combofix your system is still infected with a rootkit.

Go HERE and follow all the instructions exactly.

If none of the above helps, I`d seriously consider backing up your important data and reformatting and reinstalling from scratch. Rootkits are notoriously difficult to remove.

Your HJT log is still clean.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[d00dette]

Hi Howard,

How do I create a temporary folder? And how do I download the latest pattern file?

Also, how do I open something in Windows Explorer?

Cheers,

Sophie

 

[howard_hopkinso]

It means you need to create a new folder for the sysclean programme. It`s up to you where you put it. Read the .txt file on the Trend website.

You can get the latest pattern file HERE.

Regards Howard

This thread is for the use of d00dette only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.