I´m newbie on this, from what I read here in other topics there are some logs from combo fix and HJT required. I already done it. Can someone check it?
I really appreciate all your help.
I’ll have a look if you post the logs. you can attach them by using the addional options button on the reply page.
Welcome to the forum.
Ok, here follows my logs:
I’m not that familar vista, so I’ve asked another member to look in. We can start with this.
Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following
Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot
Open HJT, run a system scan only, check mark these lines if present
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU..\Run: [cmds] rundll32.exe C:\Users\Ramosy\AppData\Local\Temp\sstst.dll,c
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?PT (file missing)
Close all other browsers/windows, click fix, close HJT.
Update your java
Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.
Click the download button on the right.
If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.
You do not have to install the Java Web Start ActiveX Control
Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.
When the download is complete, Open Control Panel > Add/Remove Programs:
Uninstall anything that says Sun Java, Java JRE, or similar.
Close Add/Remove Programs.
In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.
Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!
Reboot your computer.
Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main “Select Files to Delete” choose: Select All.
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
I followed the steps as you mentioned. The only problem I had it was in the beginning to uncheck SDhelper, it was not reacheable. But with teatimer was ok to uncheck. All the ret I accomplished.
In the end you mention firefox and opera browsers, but im using only Int.Explorer. Should make something?
I don´t know if any step is still to come, but right now the problem maintains, at least the windows with advertisement are opening with no order, and avast recognises it.
Please advise if there´s something still to do.
Although all this I really appreciate your help.
I executed Combo fix and HJT once again now.
Just in case that you might want to see it.
Thanks.
Hi there Oldman asked me to look at the Vista log ;D
-
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box. -
Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\Users\Ramosy\AppData\Local\Temp\sstst.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cmds"=-
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
- After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new HijackThis log.
THEN
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:
Reg - BotCheck
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the log. I will review it when it comes in.
Hi Essexboy, thanks for your assistance.
I started doing the first steps, at the moment that I inserted the CFScript.txt file in the Combofix, the program ran and I cliked to start.
Few seconds after loading a error window popped-up: “You can not rename ComboFix as ComboFix. Please use another name.” And the program shuts down.
What should I do now?
No problem I will get them with Winpfind if you could now run that.
I will find out what the combofix problem is
If I well understand I need to have that program. I´m tyring to download winpfind from several ways but it directs me to one page not available from www.bleepingcomputer.com. Is there any way to do it?
Ok, Here it goes in attachement.
Thanks!
OK got it ;D
Start WinPFind35. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls] [Registry - Non-Microsoft Only] < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YY -> cmds -> %SystemDrive%\Utilizadores\Ramosy\AppData\Local\Temp\sstst.dll [Files/Folders - Created Within 30 days] YY -> sed.exe -> %System32%\sed.exe [Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log .
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Well after run fix step one SpyBotSD wndw popped up saying: Spybot - Search & Destroy has detected a change to a System Startup entry. Asked me to allow and I clicked yes. The program ran and ended asking to reeboot. I didn´t do it yet,it´s sayin that teatimer.exe doesn´t allows to reeboot. The system popped up multiple windows saying:
- Acess violation at adress 004b6be9 in module ‘Teatimer.exe’. Read of adress 00000010.
- Acess violation at adress 6f1135f5. Read of adress 6f1135f5.
each time i try to close them it more are coming. It´s endless.
What now, reeboot?
by the way the trojan still working… avast still catch it at time to time. whe Internet explorer is open.
Yes reboot
Could you turn tea timer of please and re-run winpfind fix. My apologies on that I should have noticed. Tea timer is protecting the malware
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
[*]Open Spybot Search & Destroy.
[*]In the Mode menu click “Advanced mode” if not already selected.
[*]Choose “Yes” at the Warning prompt.
[*]Expand the “Tools” menu.
[*]Click “Resident”.
[*]Uncheck the “Resident “TeaTimer” (Protection of overall system settings) active.” box.
[*]In the File menu click “Exit” to exit Spybot Search & Destroy.
Ok, I´ve done it.
Here follows the results.
OK I believe we have a hidden driver that I need to find. I assume Avast is still alerting, if so
We will now do a deep search of your processes and files
Download avz4.zip from here
[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg
[*]Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
[*] Start AVZ.
[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.
When restarted
[*] Start AVZ.
[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
E-Mail both Zip files to me I will PM my address
I´m doing the scan now. In few minutes I will post after restart.
Thanks.
No probs - sorry you have to mail them but the forum does not allow that sort of file to be uploaded