coltm4carbine

post a HJT log while your here. I give you the tools (not using symantec taking it out the hard way) p.s I won't even think about worrying about rs accounts. I am a bit concerned about your computer...

their 2 completely different things. ones internet explorer (IEXPLORE.e3e) and the other one is the Windows Explorer (explorer.e3e). a few viruses uses the same name so it depends on it's location. ok post back the online scan results. Not sure about windows updates- working fine for me. If the o15 does come back then i get you to use a special tool for it.

Don't use it hijackthis.de. It gives out False possitives- and i think it also tells you to fix an o10 (bad idea). I need the running processes part of the log and i give you the fix for new.net when i find it. Edited with canned. I am not going to tell you to fix the entries in HJT cos i need the running processes. new.net fix <- do this first because it messes with your lsp. First, Download LSPFix[Caution: ExecutableFile] to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet. To Get rid of NewDotNet, go to: Start > Control Panel > Add or Remove Programs and remove the following: New.Net Applications or New.Net Domains (anything that says New.Net) If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4. In the event that you lose Internet access after removing New.Net, please double-click LSPFix[Caution: ExecutableFile] that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

hi, not too bad. move HJT out of the temp. Had a really quick scan and i can't see anything wrong. lol deffinitely the cleanest log i've seen on this forum so far :) p.s have you posted this log on another forum? I have just dealt with one that looks a lot like yours...

move HJT to somewhere while ur at it :lol: The r1 looks dodgy... so does one of the o4.

sorry for my absence-I was expecting to be back yesterday evening. log looks a lot better do a google for "housecall". Thats another online scan. run it. As for panda which file does it get stuck on? Also go offline, close everything and fix this: O15 - Trusted Zone: http://www.neededware.com <- It's a adware. If you fixed it but it keeps on coming back let me know and i get you to fix it using another tool.

yes. Did you show hidden files? If it still don't work then type in the whole path of it. Did you show hidden files? Change the .e3e to [Caution: ExecutableFile]? still missing the first line (HJT version)... lol looks like the new version detected something the old one didn't... C:\WINDOWS\System32\a8o1v.e3e (CAUTION - executable file) C:\WINDOWS\System32\a8o1v.e3e (CAUTION - executable file) C:\WINDOWS\System32\a8o1v.e3e (CAUTION - executable file) C:\WINDOWS\System32\a8o1v.e3e (CAUTION - executable file) C:\WINDOWS\System32\a8o1v.e3e (CAUTION - executable file) C:\WINDOWS\System32\a8o1v.e3e (CAUTION - executable file) C:\WINDOWS\System32\a8o1v.e3e (CAUTION - executable file) Send: C:\WINDOWS\System32\a8o1v[Caution: ExecutableFile] C:\WINDOWS\System32\kbimim.e3e (CAUTION - executable file) C:\WINDOWS\System32\p0rb06y.e3e (CAUTION - executable file) to an online scanner too. Post the results!!! finally Go on google and search for panda Activescan. Run the online scan and Save the result. Copy and paste the result and Post It here. It should at least come up with something like this: (gonna be loads of entries for neededware) I am gonna get you to download something when i get back (gtg somewhere) so don't fix the 015 yet! As for the files you can't delete try again after showing hidden files. If you still can't delete i will give you a program to do it for you.

Spyaxe ain't active anymore. (usually an o4 entry). Have you ran smitrem already? SMitrem usually takes care of it. After running smitrem (Which i think you have already) run an online scan to take care of the rest. Yes it does (the McAgent[Caution: ExecutableFile] (something like that)). The other one should be the real time protection and the auto-updater.

-hang out on other forums -talk on msn -hang out with friends down town -get kicked out of the library (sometimes) -enjoy life :)!

ok I'll do that in the future (if i remember). go offline close everything and fix these: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\bk1.dll <-adware O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.e3e (CAUTION - executable file)<=First one O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.e3e (CAUTION - executable file) <-The second one O15 - Trusted Zone: http://www.neededware.com <-did u put it there? if not fix it. O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} - The following are randomly names files but i can't find the infection. Please submit the following file to these online file scanners. C:\WINDOWS\System32\kbimim.e3e (CAUTION - executable file) C:\WINDOWS\System32\p0rb06y.e3e (CAUTION - executable file) Jotti File Scan VirusTotal File Scan This will produce a report after the scan is complete, please copy and paste those results in your next post along with a new log. Be sure your able to view hidden files After that delete the following files/folders: C:\WINDOWS\system32\bk1.dll windir32.e3e (CAUTION - executable file) <=you will need to use the "search". Rehide your hidden file Before you post the new log please can you update your version of HJT -it's old. Hows your internet? Any problems when getting on the net etc? It seems something tried to remove a malware in the LSP but left some traces ("hence the broken internet connection") update your version of HJT and then we'll see if it's still there. In the future when you post your HJT log please include the top part. thanks. p.s to weezcake Theres meant to be 2 or more if one dies the other starts and vice versa. :)

i know why... tip.it had to change a part of the url from [Caution: Executable File]cutable (first 3 letters) to .e3e thats why. this is a pian cos u'll need it. i give you another link without the .e3e in it. ok copy and paste this url in the address bar: ]http://www.stevengould.org/downloads/cl ... anUp40[Caution: ExecutableFile] change the .e3e (CAUTION - executable file) to [Caution: ExecutableFile] click go and it should go straight to the download page.

yeh i guessed :D ok when you've done what my canned told you to do can you post back the logs (i wanna see them)? (also the online antivirus one-i wanna check out the windir32[Caution: ExecutableFile]) after the fix please can you post a new HJT log. kk bear with me (i only updated my canned before my holiday- a few days ago) new links CWShredder. You will need to update to the new version. The trend micro website ain't working for me either. ]Cleanup! You don't need to update this one.

ok first question about:blank. Did you set it (i don't think so because i can see the se.dll (sign of a nasty CWS infection)). if you didn't set it then your computer has been infected with cws. my main concerns are (please don't fix anything yet): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\CHARLI~2\LOCALS~1\Temp\se.dll/sp.html <-I underlined the sign of an infection] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank if you want to fix it then heres my canned: ==================================================== Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later. This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further. You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem. Download about:buster by RubbeRDuckY Here. Download CWShredder ]Here. Download SpSeHjfix Here. Download and install CleanUp! ]Here Save all of these files somewhere you will remember like to the Desktop. Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix) Run the CleanUp! installer. You dont need to do anything with it right now. Update About:Buster [*:1qfe3jma]Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created. [*:1qfe3jma]Navigate to the AboutBuster directory and double-click on AboutBuster[Caution: ExecutableFile]. [*:1qfe3jma]Click "OK" at the prompt with instructions. [*:1qfe3jma]Click "Update" and then "Check For Update" to begin the update process. [*:1qfe3jma]If any updates exist please download them by clicking "Download Update" then click the X to close that window. [*:1qfe3jma]Now close About:Buster Update CWShredder [*:1qfe3jma]Open CWShredder and click I AGREE [*:1qfe3jma]Click Check For Update [*:1qfe3jma]Close CWShredder Boot into Safe Mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. Please run about:buster by RubbeRDuckY: [*:1qfe3jma]Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams. [*:1qfe3jma]Click Yes to allow it to shutdown explorer[Caution: ExecutableFile]. [*:1qfe3jma]It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so. [*:1qfe3jma]When it has finished, click Save Log. Make sure you save it as I may need a copy of it later. [*:1qfe3jma]Reboot your computer into safe mode again Run about:buster again following the same instructions as above, this time without the restart at the end Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply. Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows. Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply) [this should also catch any viruses you have] After all that, please post back with how things went as well as the logs requested and a new HiJackThis log. ++++++++++++++++++++++++++++++++++++++++++++++++++ I check the rest of the log later - i usually take out specific infections first before i fix any other things.

yeh I mean linux and macs would have holes in it. it's just the case of who wants to hack it. Most people in this world hack windows... the reason? because most people uses windows. If linux and windows swapped places then i think linux will be the one that needs to be updated every 2nd week of the month (7th-15th of the month - thats when microsoft usually have an update). just my opinion. and it also depends on the user. If the user is a regular at adult sites their chances of getting infected will be higher than people that uses their computer for work.

sorry all mods and admins. i didn't make it clear enough not to put my name on this forum. i can't post the tool on that forum so i need to post it here. Drag i pmed you. i need to see the log first. and like i said in the pm please don't put my name on this forum- it's not just me on here. p.s please delete this topic and the previous one- i am waiting for a hjt log to tell me if spyaxe is still active on his comp. tia.

looks good only some orphaned reg entries. I am on holiday so i don't have any canned speech or tools with me. please disconnect from the internet, close all programs and re-scan HJT. Then fix these: R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKLM\..\Run: [stopSignSsTsMon] Rundll32.e3e (CAUTION - executable file) "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus <-optional. IMHO not the best thing to have. It was a rogue for doing driveby downloads on ur pc. then reboot your computer go into normal mode and go to add/ remove program. remove Stop sign

oops double posted. sorry.

wierder... this is basically what a BSoD is meant to be: ok well you might as well do some virus-scans. doubt it but might be a virus though...

kk, the next time it comes up then copy the words and numbers- then some people might be able to figure out what is wrong. I only know the most common ones. (not all but some). might as well do an av scan when you can (ie now). see if it finds anything. bit wierd that safemode don't work.

are you talking about the BSoD? (sounds like it) what are the letters and numbers? for example, if it's the BSoD, Stop 0x00000050 or PAGE_FAULT_IN_NONPAGED_AREA indicates it's requested data was not in memory. The system generates an exception error when using a reference to an invalid system memory address. Defective memory (including main memory, L2 RAM cache, video RAM) or incompatible software (including remote control and antivirus software) might cause Stop 0x50 messages. etc... can you boot into safemode?

nvm someone beat me to it... anyways you can wait till ie7. Should come out sometime in april if it all goes well.( ie7 has tabs)

hi, I can give you symantec's removal tool. It hardly works but it's worth a try. the tool can be found here. if it doesn't work than you can post a HJT log here. i'll give you the fix for vundo (using rather advanced tools). It worked on everyone i used it on (including myself).

you shouldn't download anything from spyware... anyways if your not careful you get a lop.com infection too. try what the above post told you to do - if it don't work then dl HJT and i give u my canned for smitfraud/ spysheriff. (you only need the smitrem)

ok had a quick look all looks good :)

hi no you have not done it right- not really. i have a look through the log. heres my canned for doing it hopefully it will clear things up: Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt Move HJT into this new folder please, This is important so please do this prior to anything else please