Trojan problems

By tauschung · 5 replies
May 20, 2009
  1. This last weekend I was searching on google, and started seeing pop-ups for my searches. I found this site and ran your suggestions (attached). I do not seem to have any more issues, but there could still be something there.

    Any help would be much appreciated. Also, what can I do to keep my computer safe in the future? I had the generic Windows firewall, and Norton AV...

    Edit: I guess I forgot my Avira scan.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    1. Malwarebytes found some malware. However you didn't do this:
    * Make sure that everything is checked, and click Remove Selected.

    So the malware entries show: No Action Taken

    Please update Malwarebytes and scan again, taking care to put in the checkmarks.

    2. Superantiapyware has a similar feature. If you did not check the line there, UPDATE, scan again>
    be sure to check the removal line.

    3. You have entries for both Avira and Symantec security programs. Decide which you want to keep and uninstall the other. If you want to uninstall Symantec/Norton, use the Norton Removal Tool:

    4. If your computer has not had a 'pre-load' cleaning', I suggest you give it one., Every manufacturer pre-loads a lot of 'junk' on a system. Most users don't realize it's there and/or don't use it. In your case, you have a lot of Acer entries that I suspect are in the junk realm. There are too many for me to list, but if you look through the HijackThis log, you'll see them all there, using valuable resources, slowing you down.

    You have 13 entries for Acer loading at startup.

    5. Please open HijackThis, and select Do a system scan only.

    Place a checkmark next to the following entries (if present):

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    (See additionsl instructions at end re Ask Bar.)
    O4 - Global Startup: Empowering Technology Launcher.lnk = ?
    O4 - Global Startup: PCM Media Sharing.lnk = C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe

    Then, close all other open windows, leaving only HijackThis open, and select Fix checked.

    6. Start> Run> type in msconfig> enter> Selective Startup> Startup menu> UNCHECK the following:
    AskBar and any Ask related entries
    Then click on Apply> OK>
    NOTE: when you reboot the first time after making change on startup menu, you will get a nag message. You can ignore and close it after checking 'don't show this message again.' Stay in Selective Startup.

    Special consideration re: ActiveToolBand:
    O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
    [*] If, in File Properties, file size is 292 kb and company "HiTRUST": : HiTrust browser plugin - part of Acer eDataSecurity Management software, it is a legitimate browser helper object.
    [*] If, in File Properties, file size is 28 kb and company information is missing: parasite, detected as W32/Istbar.WL@dl, chack to have HijackThis remmove it
    Special consideration: Ask Bar: this is at least a part of the pop-up problem. Please follow the instructions on this site to completely remove the AskBar:

    I would like a better description of the kinds of pop-ups you're getting. They can indicate a particular type of malware.

    7. Please download ComboFix HERE.

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    After completing the steps I have given, attach the new Malwarebytes log, rescan with HijackThis and include new log include the Combofix report.
  3. tauschung

    tauschung TS Rookie Topic Starter

    1. I'm pretty sure, I remember removing them.

    3. I uninstalled them with CC Cleaner, and I checked my programs to see if I still have any norton products. I see nothing.

    4. I'm not quite sure what to do here, and don't know what pre-load stuff I should disable..if any.

    6. I did not see anything. Possibly because I removed them in step 5?

    Note: I have not gotten any pop-ups since starting this process. I would get a pop-up from my desktop for whatever I searched for in the browser. So if I typed 'ComboFix' I would recieve pop-ups about anti-virus applications, and Combo-Fix.

    Attached are the logs. I did before and after if you want to see them....

    I am going to work on removing that ask toolbar now.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Mbam 1: 5/19/2009 7:01:53 PM> Malware found, "No Action"
    SAS: 05/20/2009 at 08:16 AM> 1 file had malware> removed
    AVScan: 5/20/2009 10:09> clean
    HJ 1: entries removed 5/21/2009
    Mbam 2: 5/21/2009 5:04:10 PM> clean
    ComboFix : 05/21/2009 15:32.1> removed some orphans
    HJ 2: 5:05:04 PM, on 5/21/2009> Previous entries fixed, clean.

    CCleaner run> unknown time.

    You still have two Symantec entries. They are loading from the Registry on Startup: Please run the Norton Removal Tool as suggested. Entries are:
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

    This Service should be disabled:
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

    You also have entries from:
    ParetoLogic Anti-Virus PLUS> 5/15-17/2009>
    c:\program files\Common Files\ParetoLogic
    c:\programdata\ParetoLogic Anti-Virus PLUS
    c:\users\All Users\ParetoLogic Anti-Virus PLUS
    c:\users\All Users\ParetoLogic

    To uninstall the program from Window Vista:
    1. Click Start and click Control Panel.
    2. In the left pane, select Control Panel Home.
    3. In the Program section, click Uninstall a Program.
    4. Select ParetoLogic Anti-Virus PLUS and click the Uninstall button.

    The use Windows Explorer> Programs> right click> delete the program folder.

    You also have AVG file: 2009-05-15 15:53> c:\program files\AVG
    Please uninstall. Delete program file using Windows Explorer

    That should do it! If the original problem has been resolved:
    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTCleanIt by OldTimer:
    Save it to your Desktop.
    Double click OTCleanIt.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here.

    When finished with everything, empty the Recycle Bin.

    Then, as the saying goes, "you're good to go"! Let me now if you need more help.
  5. tauschung

    tauschung TS Rookie Topic Starter

    These programs are not in my software list to uninstall programs. I did use windows to uninstall them. And, I did try to use the Norton, uninstaller, but it would not work... I do not see them in my program files either, lol.

    Should I just run HJT to remove them?

    And, what should I do to protect myself in the future? Am, I set to do that with Avira and Comodo?

    Thank you so much!
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    We'll take the last part first: the basic security should be:
    One antivirus program
    One software firewall. A router can add security with a hardware firewall
    Two or more spyware/adware programs:

    From SWI Forum: please see
    for all the links and directions:

    Also from SWI:
    You didm't say what 'would not work' meant when you tried the Norton Removal.
    Boot into Safe Mode:
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Start> Run> services.msc> double click on CLTNetCnService> change Startup type to Disabled> Stop the Service.

    Now try an run the Norton Removal Tool.
    Don't forget to empty the Recycle Bin.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...