Recently I got a virus, or several, which downloaded a multitude of others to my PC. I got rid of most, but a few remained. One particular one I found was SpySheriff, which I for the most part got rid of, however, some remnant of the original ware was left and repopulated my computer with itself. I attempted to follow some other instructions involving the editing of the win.ini file, but it seems to have been hijacked by some german virus that tells me it is currently in use. Also, I have the TIBS dialer virus, but cannot delete it as it is consistently active. (Luckily it can't hurt me because I am on DSL) There is also a virus called WinSync which runs off of a non-existent program called yoyqrc.exe, with no internet references available.
After all the meddling I have already done in regedit, I don't want to fumble blindly any more for fear it will collapse the pile of registry entries.
Currently, my IE page is hijacked to "About:Blank". (But I don't use IE so it almost escaped my notice.)
Here is my HijackThis log: (I had three errors when it scanned.)
Logfile of HijackThis v1.99.1 Scan saved at 8:14:16 PM, on 12/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I'd appreciate the help, and also, I was wondering if the large quanitity of svchost processes was related to it. Thanks! (Ran Spyremover fully updated, AdAware updated, and Norton updated, none could take care of these compeletely)
It's quite normal to have a few svchost.exe running, I have 4 right now.
Please let me know if you still have problem with Spysherrif after, so I can give instructions on downloading smitrem.
You have a narrator/qoologic trojan there.
You can either do these:
1. Download and install the free version of Ewido Security Suite. http://www.ewido.net/en/download/ Update first then scan in safe mode. It is important that you download updates and the scan must be done in Safe Mode or it might missed the narrator/qoologic.
After running the Adware Away remover and removing those regkeys, I still have problems with the TIBS dialer and SpySheriff. Here is the logfile of my last spyremover scan.
--- Report generated: 2005-12-24 19:36 ---
Error during check!: Cabrotor [9] (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
Error during check!: MultiBinder1.2 (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
Error during check!: Redlabel (Datei C:\WINDOWS\system.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
Error during check!: Win32.Optix.C (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
Error during check!: Xuron55 [6] (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
There is that german win.ini and system.ini hijacking I said earlier.
Here is an updated HiJackThis log:
Logfile of HijackThis v1.99.1 Scan saved at 7:40:00 PM, on 12/24/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
ther's only two unknown logfiles: C:\Documents and Settings\Craig\My Documents\Craig\palm\CardExport\CardGate.exe Check with an antivirus scanner O4 - Startup: Shortcut to CardGate.exe.lnk = C:\Documents and Settings\Craig\My Documents\Craig\palm\CardExport\CardGate.exe nothing to worry about.
I don't know why it doesn't show up in the logfile, but I definately do have the TIBS dialer, because first SpyRemover always finds it but cannot remove it, and second, because I have seen the stupid dial-up window pop up before, and when I tell it to cancel, it says something like "Cannot find www. i-xxx.net". The thing is that it got its file, ms1.exe, to boot no matter hhow I start it. Even in safemode, or if I tell the remover(s) to scan before windows completely starts. Every time it finds TIBS' ms1.exe file and cannot remove it because it is in use by another application.
So mainly, I was wondering if you could direct me to a specific remover for it, like the specific remover for smitfraud which I used. Since it executed in dos, I guess it was able to remove the files without the windows file access denials.
So if anyone knows of a TIBS remover, I'd greatly appreciate it.
Have you tried Smitrem? When you use Ewido, please download updates and do the scan in Safe Mode please.
You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.
Please download, install, and update the free version of Ewido Security Suitehttp://www.ewido.net/en/download/
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". [*]When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. [*]From the main Ewido screen, click on "update" in the left menu, then click the "Start update" button. [*]After the update finishes, the status bar at the bottom will display "Update successful" [*]Exit Ewido. DO NOT run a scan yet.
Next, please reboot your computer in Safe Mode:
Open the "smitRem" folder, then double click the "RunThis.bat" file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal. Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.
Now open Ewido Security Suite. [*]Click on Scanner [*]Click on Complete System Scan and the scan will begin. [*]Save the report to your desktop [*]Close Ewido
Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.
Currently it is Tuesday, October 07, 2008 11:04 AM (GMT +2) There are a total of 62.550 posts in 15.599 threads. In the last 3 days there were 15 new threads and 52 reply posts. View Active Threads
Who's Online
This forum has 26663 registered members. Please welcome our newest member, Trickydicky61. 37 Guest(s), 0 Registered Member(s) are currently online. Details
|