LinkBack URL
About LinkBacks- 12-06-2005 10:08 PM #21Member
- Join Date
- Jan 2003
- Posts
- 12,000
- Points
- 1189
Just answer the question of things running from the system restore, Yes they can. We really don't like for people to turn off system restore unless it is necessary. A "bad" restore point is better than no restore point.
Things have also been known to run from the recycle bin.
Steam will advise you on what to do
BG
- 12-07-2005 02:34 AM #22Member
- Join Date
- Dec 2005
- Posts
- 207
- Points
- 12
Thanks for the information re: System Restore and the Recycle Bin. I just went and made sure my Bin was emptied...
Originally Posted by Basementgeek
No worry here, if anything I am Restore Point obsessed :lol:
- 12-07-2005 02:55 AM #23Member
- Join Date
- Dec 2005
- Posts
- 207
- Points
- 12
Hi steam,
I just tried to do a reboot in Safe Mode using your latest instructions and I did not hear a "beep" at all.
I did hear the beep though when using the start > run > msconfig (Symantec Document) method given in your post # 13.
I'm not sure if there is a reason to do it differantly? Just in case there is I guess I will wait to hear from you. I have DL'd both the SmitRem and the fix.zip to my Desktop so I am ready to go. (I mistakenly saved the fix.zip to the wrong place which is why it was DL'd twice, sorry about that :? )
One last thing, will all of the efforts I made yesterday (as described above) mean the fix.zip will have to be re-written? If so, I'm really sorry
I look forward to hearing from you as I have become hopeful that this issue can be fixed without having to wipe and reformat and reinstall everything ...
Thanks again
- 12-07-2005 03:20 PM #24Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
HI
quote:
A housecall completed with problems found and I believe it fixed some but not these:
C:\\WINDOWS\System32\mscornet.exe
C:\\WINDOWS\System32\mssearchnet.exe
...The fix.zip file you downloaded was to remove the registry run keys for these 2 files (they are not running from a section of the registry which hijackthis scans, so are not shown in a hijackthis log)
quote:
The same two as housecall plus this:
C:\\WINDOWS\System32\hp1EC8.tmp ... twice calling it Adware:adware/spyaxe
...from your first hijackthis log :-
O2 - BHO: HomepageBHO - {3e9b951e-6f72-431b-82cf-4a9fbf2f53bc} - C:\WINDOWS\system32\hp5B39.tmp
notice the similarity ?
---
The different ways to get into safe mode both end up in the same place, it doesn't matter which one you use, if you use the msconfig way, then you have to reverse it to get back to normal mode, if you use f8 then restarting will automatically go into normal mode.
You say ewido gives a clean scan ?
last time it found and deleted :- C:\WINDOWS\system32\mssearchnet.exe
ewido scan :-
C:\WINDOWS\system32\hp5B39.tmp -> Downloader.Zlob.br : Cleaned with backup
C:\WINDOWS\system32\mssearchnet.exe -> Downloader.Zlob.bw : Cleaned with backup
C:\WINDOWS\system32\nvctrl.exe -> Trojan.Puper.bp : Cleaned with backup
Also system restore WILL have this infection backed up in restore points, but it wont be reinfecting from there, unless you try to do a system restore...
---
OK this is what I want you to do now...(in this order)
Disable spybots teatimer, (it could interfere with the cleanup)
To disable TeaTimer:
1. Open Spybot
2. Click Mode -> Advanced Mode
3. Click Yes
4. Click Tools (located in the bottom left corner) -> Resident
5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active'
6. Then close Spybot and restart your computer
Once the cleaning is finished you can re-enable it.
1. unzip the fix.zip and doubleclick the reg file...
2. run the smitRem.exe as per my previous instructions (go to safemode any way you want)
3. run ewido again ... it wont do any harm (save the log and post it if it finds anything)
4. doubleclick the reg file again
5. run winpfind and save the log for me...
6. boot back to normal and run the SpyAxeFix from post #8
7. Run hijackthis... save and post the log.
Post ALL the logs from the above...
And let me know how the computer is running again...
cheers
steam
- 12-08-2005 01:32 AM #25Member
- Join Date
- Dec 2005
- Posts
- 207
- Points
- 12
Eeks ...
Thanks for explaining the content of the fix.zip Originally Posted by steamwiz
I see what you mean. Originally Posted by steamwiz
What had me confused with the F8 method is I didn't hear a *beep* so I didn't know when to hit the button and then the Windows icon came up. I'd rather not try to guess when is the right time to use the button. I hope that makes sense. I definately hear the *beep* and get the prompt when using the msconfig method. Originally Posted by steamwiz
I was very surprised 8O Originally Posted by steamwiz
If I am re-infected and I know I am and the online scanners found the same stuff as before how can it be hiding from ewido?
I've looked at the Calendar but I have not attempted to do a restore since I started working with you on this issue. Originally Posted by steamwiz
:| Originally Posted by steamwiz
Okay I disabled the Resident and got through Step 1 but when I went into Safe Mode to continue the procedure I have no smitRem or reg folders on the Desktop. (The fix.zip undid itself to a folder instead of straight to the Desktop.)
I'm not sure if this is relevant or not but the OP of this Topic indicates SpyAxe follows them into Safe Mode. ( http://forums.spybot.info/showthread.php?t=846 ) To me it definately seems like it is adapting within my computer. Why else would it now be invisible to ewido?
Anyway, I have no idea what to do next. I guess I could save the fixes to somewhere other then my Desktop? Would this be okay?
Humm? I just tried something. I asked to see hidden Folders but that didn't get them to appear on the Desktop. I thought it was worth an attempt?
I guess, I'll sit tight till I hear from you? This time no going off on my own ...
Bye-For-Now :?
- 12-08-2005 01:55 PM #26Member
- Join Date
- Dec 2005
- Posts
- 207
- Points
- 12
Hello to all reading this,
I think I need clarify. What I meant by "going off on my own" was to go here:
http://www.help2go.com/article217.html
And this time make a more determined effort to complete ALL the tasks indicated. This involved DLing, installing and running programs as required.
And also, as I indicated above, I followed steam's original remedy a second time.
I did not "shop around". I am committed to completing this process.
One final note, I was re-infected while doing research only. I did not entertain or otherwise use advice given elsewhere. What I may have done is save Links to interesting information to my Favorites. This was done from the computer with the issue. Now I am only connecting to the Internet when required by instructions given here or briefly daily to check for updates on the following products:
Ad-Aware
Spybot
NAV
Windows
If one is found, as with Ad-Aware yesterday, I initiate a Full scan. (Yesterday's scan found nothing.)
If this activity is inappropriate to the efforts being offered in this Thread then I will cease doing so.
Thank you again steam for your patience.
- 12-08-2005 03:03 PM #27Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
Hi
It doesn't matter if the reg file is in a folder or on the desktop, and none of the others HAVE to be on the desktop, I just asked you to put them there so that you could find them easily, you can put them where you want.
You should hear a single beep when your computer boots, this is to say that the BIOS settings have loaded and all is OK, it's at this point, after the BIOS has loaded but before windows starts to load, that you need to keep tapping f8 to get the menu, which gives you the option to boot into safemode.
Checking for updates and running the programs you have done, are no problem
just do what you can in safemode, anything you can't do, do in normal mode after you reboot...but let me know exactly what you've done.
I would also like you to run CCleaner FIRST from normal mode, before doing anything else....
Download CCleaner from :-
http://www.ccleaner.com/ (click the download tab)
After installing, go to Start > programs > CCleaner
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
under "Windows explorer"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Empty recycle bin
Temporary files
Memory Dumps
Chkdsk File Fragments
Old prefetch data
If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
By the way, I am a member at over a dozen security sites, including spybot forums, :wink:
steam
- 12-08-2005 03:37 PM #28Member
- Join Date
- Dec 2005
- Posts
- 207
- Points
- 12
Okay, I'll find another place for them Originally Posted by steamwiz
I guess not knowing that I could put them anywhere will tell you just how pathetic my knowledge of computers really is :roll:
Sorry but I don't hear any beep. Originally Posted by steamwiz
Is this maybe because of the "Normal Startup" Selection I keep using when I reboot from safe mode using the msconfig method? I realise that you indicated I didn't need to do this but I "felt" bullied by the warning message to do it so I desided that putting it in "Normal Startup" elimitated one stress for me.
Thanks Originally Posted by steamwiz
I will. Originally Posted by steamwiz
Will do! There is no worry about needing Cookies. We are always clearing them out. Including going to Setting > Check Files to make sure they are all cleared including the ones for Favorites. The only MRU items I might miss would be in my Imaging programs but I can live with that :wink: Originally Posted by steamwiz
Originally Posted by steamwiz
- 12-08-2005 05:05 PM #29Member
- Join Date
- Dec 2005
- Posts
- 207
- Points
- 12
I have completed this task. Originally Posted by steamwiz
Because I am a curious kind of person I did click "analyse" to see what would be deleted and noticed that it looked like I was going to loose all the Log Files made by Spybot, Ad-Aware and ewido. I guess this is normal? After I completed the clean I check just to see if I was reading the results correctly and I was. I also found something else interesting. When I went into Ad-Aware I see I have a quarantine file 33kb made 04-12-2005 with 65 objects in it. I don't remember getting a scan with this many results. But quarantined means the items can't run? Right? Should I delete it? At the end of scans if I know that what was found was BAD I usually delete the file, this being there is strange.
Anyway, I await further instructions.
- 12-08-2005 05:28 PM #30Member
- Join Date
- Sep 2003
- Location
- Yorkshire U.K.
- Posts
- 14,022
- Points
- 2335
Hi
Everything you say is correct, that's why I wanted you to run it first, now when you run the rest of the programs you will have the logs to post.
Usually a file is only moved to quarantine, when there is doubt as to whether it is malware, if it subsequently proves to be OK, it can be moved back to where it came from.... if you are sure the files in question are bad, then delete them.
steam
