Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help, please....Thank You!!!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Angelfire777 » August 9th, 2007, 7:28 am

Hi,

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean.bat in the File name and save it to your desktop.

Code: Select all
@echo off 

for %%g in ( 
C:\WINDOWS\SYSTEM32\afnpafn(2).dll 
C:\WINDOWS\SYSTEM32\msfoiaaa.exe
C:\WINDOWS\SYSTEM32\tovtbdrt(2).dll
C:\WINDOWS\SYSTEM32\dvlrkcby.dll.bak
C:\WINDOWS\SYSTEM32\tovtbdrt.dll.bak
C:\WINDOWS\SYSTEM32\vxtkaoph.dll
C:\1671390.*
"C:\Documents and Settings\Bob Parchman\Desktop\[4]-Submit_2007-08-08_102446.39.zip"
"C:\Program Files\Internet Explorer\msimg32.dll"
) do ( 
attrib -s -h -r %%g 
del /s/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

for %%g in ( 
"C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration"
C:\1671390
C:\QooBox
) do ( 
attrib -s -h -r %%g 
rd /s/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0


Locate clean.bat on your Desktop and double-click on it. Tell me what it says.

Post back with a fresh HijackThis log and tell me how's your machine running.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am
Advertisement
Register to Remove

Unread postby bob38058 » August 9th, 2007, 11:26 pm

Hi,
I downloaded the text & saved it to all files & downloaded it to my desktop, but when I click on it, the black screen flashes up for a second, then disappears. It won't print a log. Sorry if I messed it up. Here is the latest Hijack this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:24:59 PM, on 8/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bob Parchman\Desktop\HiJackThis_v2.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif

--
End of file - 1971 bytes
Please let me know how to proceed. Thank You. My computer is running, much, much better & has been ever since you started helping me!
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby bob38058 » August 9th, 2007, 11:28 pm

Hi,
In the Hijack this scan, I'm not sure what entry this is:
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif

But I'm not able to clear my system of it. Thanks, Bob
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 9th, 2007, 11:42 pm

Hi,

In the Hijack this scan, I'm not sure what entry this is:
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif


It's the one here:
Go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab

Please fix that entry using HijackThis if you do not use it.

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type clean2.bat in the File name and save it to your desktop.

Code: Select all
@echo off 

for %%g in ( 
"C:\WINDOWS\SYSTEM32\afnpafn(2).dll"
C:\WINDOWS\SYSTEM32\msfoiaaa.exe
"C:\WINDOWS\SYSTEM32\tovtbdrt(2).dll"
C:\WINDOWS\SYSTEM32\dvlrkcby.dll.bak
C:\WINDOWS\SYSTEM32\tovtbdrt.dll.bak
C:\WINDOWS\SYSTEM32\vxtkaoph.dll
C:\1671390.*
"C:\Documents and Settings\Bob Parchman\Desktop\[4]-Submit_2007-08-08_102446.39.zip"
"C:\Program Files\Internet Explorer\msimg32.dll"
) do ( 
attrib -s -h -r %%g 
del /s/f/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

for %%g in ( 
"C:\DOCUME~1\BOBPAR~1\APPLIC~1\eAcceleration"
C:\1671390
C:\QooBox
) do ( 
attrib -s -h -r %%g 
rd /s/q %%g 
if exist %%g echo.%%g >>"%temp%\log.txt" 
)>nul 2>&1 

if exist "%temp%\log.txt" (start notepad "%temp%\log.txt" 
) else echo.Deleted Successfully! 
echo. 
pause 
del %0


Locate clean2.bat on your Desktop and double-click on it. Tell me what it says.

Post back with a fresh HijackThis log.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby bob38058 » August 10th, 2007, 12:27 am

Hi,
It said Delete Sucessful. Here is a new Hijack scan:
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bob Parchman\Desktop\HiJackThis_v2.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O24 - Desktop Component 0: (no name) - http://adisney.go.com/disneypictures/ca ... /mater.gif

--
End of file - 2004 bytes

I still can't delete 024 file though. I deleted it from the desktop, and mark "fix checked" on hijack this, but it will not go away. Thanks, Bob
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 10th, 2007, 12:30 am

Try this:

Go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab
Uncheck and Delete everything you find in there. (Except for "My Current Home Page.")
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby bob38058 » August 10th, 2007, 1:06 am

I have correctly deleted it this time. Thank You! Do I need to take any further action?
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 10th, 2007, 9:55 am

Please post a fresh HijackThis log for a last look :)
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby bob38058 » August 11th, 2007, 1:22 am

Hi,
Here is the scan:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:17:21 AM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Documents and Settings\Bob Parchman\Desktop\HiJackThis_v2.exe

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 2625 bytes

I got the Trend Micro pc-cillin suite on a trial basis. I've heard good things about their system, but I would like your opinion. You definatly know what you are doing! I want to thank you so much, for all your help & patience! You have been a life saver. Do I still need the combofix & other programs? Thank You! Bob
bob38058
Regular Member
 
Posts: 19
Joined: August 4th, 2007, 10:19 pm

Unread postby Angelfire777 » August 11th, 2007, 1:33 am

Hi,

I got the Trend Micro pc-cillin suite on a trial basis. I've heard good things about their system, but I would like your opinion. You definatly know what you are doing! I want to thank you so much, for all your help & patience! You have been a life saver. Do I still need the combofix & other programs? Thank You! Bob


If you ask my opinion, I'd say its ok. I've never heard anything bad from their internet security suite. It's all up to you :)

No, you don't need those tools anymore. You may delete combofix now and the batch files that we created.
_______

Congratulations! Your log looks clean!

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

______________________
Here are some free programs I recommend that could help you improve your pc's security.

MVPS Hosts File
~You can download it from here
~I highly recommend this hosts file. You can learn more about this here

Install SpyWare Blaster
~You can download it from here
~You can read the tutorial on how to use Spyware Blaster here

IESpyAds
~You can download it from here
~If you want to know how IEspyads work you can take a look at it here
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Happy safe surfing!
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby NonSuch » August 14th, 2007, 3:14 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 482 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware