Spyware/Malware Problems, Please Help
- Thread starter JamesW
- Start date
- Status
gillianbrown
Posts: 141 +0
You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.
Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.
Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".
You can now close the HJT directory.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {27203D7C-A218-4500-9903-B1461C30D9B4} - C:\WINDOWS\system32\iifcDTkj.dll (file missing)
O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\Me\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
O20 - AppInit_DLLs: eicbuq.dll
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or folders(if there).
C:\WINDOWS\system32\eicbuq.dll
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log and let us know if you're still having problems.
Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.
Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".
You can now close the HJT directory.
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.
Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.
In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).
O2 - BHO: (no name) - {27203D7C-A218-4500-9903-B1461C30D9B4} - C:\WINDOWS\system32\iifcDTkj.dll (file missing)
O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\Me\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
O20 - AppInit_DLLs: eicbuq.dll
Click on the fix checked button.
Close HJT.
Locate and delete the following bold files and/or folders(if there).
C:\WINDOWS\system32\eicbuq.dll
Reboot into normal mode and rehide your protected OS files.
Post a fresh HJT log and let us know if you're still having problems.
Thank you very much for helping me, and I have a few questions. I only have one account on my computer and that is the administrator account. In order to boot into safe mode under an account that is not administrator will I have to create a new account, log off, sign into that account, then reboot? If so, will I have to download HJT for the new account also?
gillianbrown
Posts: 141 +0
Normally, when you attempt to boot into safe mode it gives you the choice of using either your normal account name or the Administrator account.
However, if the only account presented to you is the admin account, then by all means use that.
However, if the only account presented to you is the admin account, then by all means use that.
Ok, I followed all the directions you gave me, and I have posted a new log. I found
O2 - BHO: (no name) - {27203D7C-A218-4500-9903-B1461C30D9B4} - C:\WINDOWS\system32\iifcDTkj.dll (file missing)
O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\Me\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
O20 - AppInit_DLLs: eicbuq.dll
in HJT and fixed all problems, but I did not find C:\WINDOWS\system32\eicbuq.dll
Do you have any more suggestions? Once again, thank you for helping me.
O2 - BHO: (no name) - {27203D7C-A218-4500-9903-B1461C30D9B4} - C:\WINDOWS\system32\iifcDTkj.dll (file missing)
O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\Me\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
O20 - AppInit_DLLs: eicbuq.dll
in HJT and fixed all problems, but I did not find C:\WINDOWS\system32\eicbuq.dll
Do you have any more suggestions? Once again, thank you for helping me.
gillianbrown
Posts: 141 +0
Your HJT log is now clean. Don't worry that you were unable to find the eicbuq.dll file.
Unless you're still having problems, you should be good to go.
Unless you're still having problems, you should be good to go.
Bobbye
Posts: 16,313 +36
James, please allow me to mention some things:
You are running three security programs that include antivirus. you need to decide which you want to keep and uninstall the rest. they are:
Avira:
Decide which program you want to keep- only one antivirus program should be running. Then:
Please re-open HiJackThis and scan.Check the boxes next to all the entries for the program you do NOT want to keep. Use the groups above that I have set up for you.
Then close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode.
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all the processes for the programs you do NOT want to keep.
Start> Run> services.msc> do the following on each of the 023 Services listed above for the program you do NOT want to keep;
Right click on the Service> Properties> Set the startup type to Disabled> Stop the Service.
Control Panel>Add/Remove Programs> highlight and uninstall the program you do NOT want to keep.
Reboot into Normal Mode.***NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
One more thing. You have SuperAntispyware running:
You are running three security programs that include antivirus. you need to decide which you want to keep and uninstall the rest. they are:
Avira:
Avast:
McAfee:
I suggest you proceed as follows:
Decide which program you want to keep- only one antivirus program should be running. Then:
Please re-open HiJackThis and scan.Check the boxes next to all the entries for the program you do NOT want to keep. Use the groups above that I have set up for you.
Then close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode.
Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK all the processes for the programs you do NOT want to keep.
Start> Run> services.msc> do the following on each of the 023 Services listed above for the program you do NOT want to keep;
Right click on the Service> Properties> Set the startup type to Disabled> Stop the Service.
Control Panel>Add/Remove Programs> highlight and uninstall the program you do NOT want to keep.
Reboot into Normal Mode.***NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
One more thing. You have SuperAntispyware running:
but you did not provide a log. Please run a scan with the program, followed by a new scan with HijackThis and attach both logs.
Okay
I am going to be busy today, so I will complete the instructions by tomorrow. I also have a few questions, I thought I uninstalled McAfee earlier, but I guess not. In order to remove it do I just need to open HJT and fix the file that you gave me? Also, I thought I needed SuperAntiSpyware but is fixing the file you gave me just turning it off? Sorry, I am not very good with computers and I just have a few questions. Thank You.
I am going to be busy today, so I will complete the instructions by tomorrow. I also have a few questions, I thought I uninstalled McAfee earlier, but I guess not. In order to remove it do I just need to open HJT and fix the file that you gave me? Also, I thought I needed SuperAntiSpyware but is fixing the file you gave me just turning it off? Sorry, I am not very good with computers and I just have a few questions. Thank You.
gillianbrown
Posts: 141 +0
Try running this McAfee Removal Tool.
Bobbye
Posts: 16,313 +36
Download the McAfee Removal Tool and Save to the desktop> don't run it yet.
You also need to decide between Avira and Avast.
I want to to scan with SuperAntispyware and attach the log, per these directions:
SAS:
Start> Run> msconfig> enter> Selective startup> Startup tab> UNCHECK all McAfee related processes> Apply> OK>
You can also remove either the Avast processes or Avira> which ever one you have decided NOT to keep in the same way.
Now double click on the removal setup on the desktop and run.
When through, reboot into Normal mode***Note: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
You also need to decide between Avira and Avast.
I want to to scan with SuperAntispyware and attach the log, per these directions:
SAS:
Boot into safe Mode:
Start> Run> msconfig> enter> Selective startup> Startup tab> UNCHECK all McAfee related processes> Apply> OK>
You can also remove either the Avast processes or Avira> which ever one you have decided NOT to keep in the same way.
Now double click on the removal setup on the desktop and run.
When through, reboot into Normal mode***Note: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.
The SuperAntiSpyware log is attached. I will remove McAfee, but I was wondering if I should keep Avira or Avast. Everyday I get a few incoming trojan viruses that Avira detects and blocks, but Avast does not shown any signs of use. Which one would you suggest in keeping? Also, on the internet I only visit websites such as facebook and youtube, but I still get incoming attacks from viruses. Is this normal?
Bobbye
Posts: 16,313 +36
How do you know that Avast isn't just doing it's job and preventing the 'viruses or Trojans' from getting on the system. The fact that you have 2 'competing' AV programs is the reason for this.
You antivirus program is not going to prevent scanning that may have malware. But when properly configured and by keeping updated, it should prevent the viruses from getting on the system.
Keep in mind that we now lean more toward the word 'malware' rather than viruses. This includes viruses, Worms, Trojans, pests, spyware and adware. And while an antivirus program may WARN you of malware, if it's not in the family of viruses, Worms Trojans, it's not going to remove it. That why you should have firewall, an antivirus program and at least twp spyware/adware programs for layered protection.
We tend to lean more toward Avast, but Avira is also good. The important thing is to get the system down to ONE antivirus program as more than that can cause a conflict which can leave the system more vulnerable.
I will check one more HijackThis log if wanted, after you get down to only one AV program. SAS is clean. How is the system working? If it is slow, it's because you have way too many programs and processes loading at startup.
Of all the 04 processes loading at boot, the only ones you need are:
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe>> touchpad for laptop
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Bobbye
Posts: 16,313 +36
Okay, no malware. If you ever decide your startup, surfing and shutdown are too slow, think about taking those programs I mentioned off of startup.
Yes, you should have a firewall: Either/or, not both.
Recommended Free Firewall:
Comodo:http://www.personalfirewall.comodo.com/
Zonealarm:http://www.zonealarm.com/store/content/catalog/products/zonealarm_free_firewall.jsp
The cleaning programs can be removed:
Quote:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.
Yes, you should have a firewall: Either/or, not both.
Recommended Free Firewall:
Comodo:http://www.personalfirewall.comodo.com/
Zonealarm:http://www.zonealarm.com/store/content/catalog/products/zonealarm_free_firewall.jsp
The cleaning programs can be removed:
Clear your existing System Restore points and establish a new clean restore point:
Quote:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
* Next, go to Start > Run and type in cleanmgr
"Ensure the selection is on C:\ and click on OK"-
* Select the *More options* tab
* Choose the option to clean up System Restore and OK it.
* This will remove all restore points except the new one you just created.
Thank you so much. I downloaded COMODO earlier today and things seem to be working great. Only one thing is that after I click on the OTCleanIt link and save it, I recieve a notification that says that there is no publisher, and the software could be harmful to my computer. When I clicked run anyway, COMODO immediately gave me a warning about the dangers of the software, but should I carry on?
Bobbye
Posts: 16,313 +36
Yes, okay to go ahead with OTCleanIt. Try this URL instead:
http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Edit: Nevermind, it's parsing here. Use the original- it's okay.
http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe
Edit: Nevermind, it's parsing here. Use the original- it's okay.
- Status
Similar threads
Latest posts
-
PlayStation 5 Pro will be bigger, faster, and better using the same CPU- WhiteLeaff replied
-
Samsung's 2024 TV lineup receives a new 98-inch model for $3,999- Uncle Al replied
