Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack Log Full page pop up ads


  • This topic is locked This topic is locked
68 replies to this topic

#61 daveai

daveai

    Emeritus-ClassroomTeacher/Admin

  • Authentic Member
  • PipPipPipPipPip
  • 1,279 posts

Posted 29 January 2006 - 11:16 AM

Sorry for the delayed response. I'm not ignoring this, but have been interrupted by 'real life' for a day or two. I'll post my next recommendations later today. Thanks daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

    Advertisements

Register to Remove


#62 daveai

daveai

    Emeritus-ClassroomTeacher/Admin

  • Authentic Member
  • PipPipPipPipPip
  • 1,279 posts

Posted 30 January 2006 - 08:08 AM

Okay...I'm back.

I should be able to turn around replies in approximately one day going forward. Thanswk again for your patience.

We made progress this last run...eliminating one of the troublesome files, and deleting the infected email (which was probably the source of the 'look2me' infection).

We'll whack at the remainders again with Killbox, but use slightly different options.


Save these instructions to a text file (Notepad) on your desktop so you can find them in safe mode.

First...reboot into safe mode and...

Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these four boxes and then press ok to remove: Downloaded Program Files, Temporary Files, Temporary Internet Files, Recycle Bin.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and when the scan is finished, choose Edit > select all -> File > delete.

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty


Then...while still in safe mode...


1) Please run Killbox.

2) Select "Delete on Reboot" and "Replace on Reboot" and check the "Use Dummy box".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:


c:\WINDOWS\SYSTEM\UpdInstall.exe.tcf
c:\WINDOWS\Desktop\gettbar.exe
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\Toolbar_cobrand.EXE/WISE0077.BIN
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\Toolbar_cobrand.EXE
c:\WINDOWS\Downloaded Program Files\popcaploader.dll.tcf
c:\WINDOWS\Downloaded Program Files\UWFX5_0001_N53L1025NetInstaller.exe


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot


And finally ... rerun the Kaspersky scan and send the results.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#63 clueless123

clueless123

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 30 January 2006 - 05:28 PM

I was not able to find these files c:\Windows\downloaded program files\conflict.1\toolbar_cobrand.exe\wise0077.bin, c:\windows\downloaded program files\conflict.1\toolbar_cobrand.exe, c:\windows\dowloaded program files\popcaploader.dll.tcf & c:\windows\downloaded program files\uwfx5_0001_n53l1025netinstaller.exe Number of suspicious objects: 0 Duration of the scan process: 7331 sec Infected Object Name - Virus Name c:\WINDOWS\Downloaded Program Files\CONFLICT.1\Toolbar_cobrand.EXE/WISE0077.BIN Infected: not-a-virus:AdWare.Win32.Dogpile.a c:\WINDOWS\Downloaded Program Files\CONFLICT.1\Toolbar_cobrand.EXE Infected: not-a-virus:AdWare.Win32.Dogpile.a c:\WINDOWS\Downloaded Program Files\popcaploader.dll.tcf Infected: not-a-virus:Downloader.Win32.PopCap.b c:\WINDOWS\Downloaded Program Files\UWFX5_0001_N53L1025NetInstaller.exe Infected: not-a-virus:Downloader.Win32.Agent.f c:\!KillBox\msg118.dll Infected: not-a-virus:AdWare.Win32.Look2Me.an c:\!KillBox\CSv20P160.exe Infected: Backdoor.Win32.Ruledor.j c:\!KillBox\gettbar.exe/WISE0081.BIN Infected: not-a-virus:AdWare.Win32.Dogpile.a c:\!KillBox\gettbar.exe Infected: not-a-virus:AdWare.Win32.Dogpile.a c:\!KillBox\UpdInstall.exe.tcf Infected: not-a-virus:AdWare.Win32.Look2Me.b Scan process completed.

#64 daveai

daveai

    Emeritus-ClassroomTeacher/Admin

  • Authentic Member
  • PipPipPipPipPip
  • 1,279 posts

Posted 10 February 2006 - 09:01 AM

I apologize for losing track of this topic. Can you please give me an updated HijackThis log and a rerun the Kaspersky scan. From your last results, the infected file load appeared to have been whittled down a few more. O'd like to see if there is anything on your system that is spawning new malware inthe past 10 days. Thanks for your patience. daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#65 daveai

daveai

    Emeritus-ClassroomTeacher/Admin

  • Authentic Member
  • PipPipPipPipPip
  • 1,279 posts

Posted 12 February 2006 - 02:48 PM

Hiya.

We recieved a suggestion from another member today (Erik-Dardan Ymeraga), that suggests you may be infected by the Klez virus, which is indicated by the presence of WINK.EXE on your system.

There is a removal tool for this pest, and instructions for downloading and running it at:

http://securityrespo...moval.tool.html

After trying this tool, please report back wthyour results.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#66 clueless123

clueless123

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 26 February 2006 - 03:31 AM

The link you gave me won't come up. Sorry I haven't responded I didn't get an e-mail notifying me that you responded.

#67 Flute

Flute

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 27 February 2006 - 12:11 AM

I recently cleared this exact same problem from my system. I see you have wink.exe running. That is the problem. It inserts itself into your startup list. Remove it from your startup list and remove the files in the folder C:\ProgramFiles\Wink Also remove the two files: C:\web.exe and C:\wsetup.exe Then kill the running process wink.exe. You may have to reboot. Even though it uses the same name as the Klez virus, this has nothing to do with the Klez virus. I went through the same ordeal of trying every virus/spyware scanner in existence. None of them flag this file.

Edited by Flute, 27 February 2006 - 12:15 AM.


#68 clueless123

clueless123

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 27 February 2006 - 01:20 AM

I was finally able to open up the webpage and downloaded the tool. It says there is not Klex virus to be found on my computer.

#69 clueless123

clueless123

    Authentic Member

  • Authentic Member
  • PipPip
  • 58 posts

Posted 27 February 2006 - 01:42 AM

Flute I did what you suggested and it worked!!!!!!!!!! Thank you so much.

Related Topics



3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users