Can
anyone help me remove the threat permanently? Its an EGroup dialler that
self
instals each day.
Jim Byrd said:Hi Paul - In a word, NO. I don't ever recommend ANY non-commercial
Norton/Symantec software, or in your case any purchased software at all at
this point. What you need now is some expert assistance.
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken to include what you've run and in what mode."
--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/
paulbalaam said:Thanks for this Jim
Ive tried running all sorts of removal tools in Safe Mode, but even after
deletion the same old items reappear as soon as I go online. I run Norton
Anti Virus every night, but this doesn't identify the threat; even tho the
definitions are up to date. MS Anti Spy runs every night too; it finds the
same Trojan and I delete it every morning.
I've also run various removal tools from Trend Micro and Panda; again after
detection and removal, the problems reoccur.
I have the MS firewall turned on, and my internet broadband connections is
also firewalled. I'll try a few more things from your Blog, but do you think
investing in Symantec's Internet Security software (c$60) might help??
Kind regards
Paul Balaam
paul balaam said:Dear Jim
You contacted me a while ago with some great information on virus removal,
for which I'm eternally greatful. The Aumha site in particular is fantastic
and I've had very, very few problems since I've started following their
cleaning regime.
So thanks for your help; at the time it was greatly appreciated.
I have just one more query which you may/may not be able to help me with.
Since the last infection -- which I successfully cleaned (with your help) -
my registry editing facility has become disabled. When I type regedit, I get
a message saying 'its disabled by the Administrator'.
I searched high and low to find how to turn it back on, but have been
unsuccessful. It's probably really simple, but I've reached a dead end.
If you can help, I would appreciated it.
Kind regards from the UK
Paul Balaam
Jim Byrd said:Hi Paul - In a word, NO. I don't ever recommend ANY non-commercial
Norton/Symantec software, or in your case any purchased software at all at
this point. What you need now is some expert assistance.
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Jim Eshelman's site here: http://forum.aumha.org/
or Bleepingcomputer here: http://www.bleepingcomputer.com/
or Computer Cops here: http://www.computercops.biz/forums.html
or Tom Coyote here: http://forums.tomcoyote.org/index.php?act=idx
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken to include what you've run and in what mode."
--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/
paulbalaam said:Thanks for this Jim
Ive tried running all sorts of removal tools in Safe Mode, but even after
deletion the same old items reappear as soon as I go online. I run Norton
Anti Virus every night, but this doesn't identify the threat; even tho the
definitions are up to date. MS Anti Spy runs every night too; it finds the
same Trojan and I delete it every morning.
I've also run various removal tools from Trend Micro and Panda; again after
detection and removal, the problems reoccur.
I have the MS firewall turned on, and my internet broadband connections is
also firewalled. I'll try a few more things from your Blog, but do you think
investing in Symantec's Internet Security software (c$60) might help??
Kind regards
Paul Balaam
Hi Paul - Try running MSAS from Safe mode or a "Clean Boot" twice. If
that doesn't work then start working your way through the steps outlined in
my Blog, Defending Your Machine, addy in my Signature, below, particularly
the A² Personal program.
From my Blog:
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF) (including offline content.) Reboot and test if the
malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/
My MS Anti virus detects a dialler on my system everyday so I remove it. Can
anyone help me remove the threat permanently? Its an EGroup dialler that self
instals each day.