Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello
2 days ago AVG detected the howiper virus on my computer but cannot heal it. Since then I have had certain problems on startup. Sometimes it crashes before anything can launch. Luckily it only happens once in a while and computer still works but I'm sure it will get worse each day... I checked this topic http://www.computing.net/security/wwwboard/forum/17399.html but I cannot run Blacklight because it needs the userenv.dll and can't find it on my computer. Would like some instructions on how to completly remove this threat from my computer. Thanks in advance for your help.
Did you run AVG' scan while the computer was in the safe mode? Try using the Kaspersky scan from this url;
http://www.kaspersky.com/scanforvirus.html
0 
Scanned in safe mode but AVG didn't find it. Sent me an alert when I rebooted in normal mode indicating howiper.exe infection...can't heal it and can't send it to vault.
Was able to erase howiper.exe with killbox but I still get crashes so it probably came back or it was not only in my windows folder.
0
The entire drive, at the right hand top of the screen you will see on line virus scanner, select it.
0
Please download BlackLight by F-Secure from this link http://www.f-secure.com/blacklight/
The log should be on your desktop or root directory (C:\). This is the format for the log file name:
fsbl-<date-and-time>.logIf you have any trouble finding it do a search for fsbl*.log. Some of the files you see are legit so don't delete anything unless you know what you are doing.
Download killbox from this link Killbox Sounds like you already have killbox and Please download
http://www.atribune.org/content/view/19/2/ by Atribune you will need them in safe mode later.Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
Please download Fixwareout from this link
http://swandog46.geekstogo.com/Fixwareout.exe
or
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click next, then Install, then make sure "Run fixit" is checked and click finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Post a copy at the log located at C:\fixwareout\report.txt. Hijack This may try to run but don't try to fix anything at this time but post a second HT log.
0
Downloaded everything but like I said in the first post I can't run blacklight because I'm missing a .dll it needs to run.
Here's the HijackThis logfile
Logfile of HijackThis v1.99.1
Scan saved at 17:34:48, on 06-03-17
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATI2EVXX.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.exe
C:\PROGRAM FILES\CREATIVE\AUDIO\PROGRAM\CTMIX32.exe
C:\WINDOWS\SYSTEM\INTERNAT.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.exe
C:\WINDOWS\SYSTEM\DESK98.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\MES DOCUMENTS\MY EBOOKS\HIJACKTHIS.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par Internet Victoriaville
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\PROGRAM FILES\FREE DOWNLOAD MANAGER\IEFDM.DLL
O3 - Toolbar: (no name) - {E7DD4340-37DC-11D8-A4D5-0060673AC264} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.exe /Consumer
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.exe /t
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .swf: C:\PROGRA~1\INTERN~1\PLUGINS\NPSWF32.dll
O12 - Plugin for .exe: C:\Program Files\Opera7\PLUGINS\npfdm.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fr/filesharingctrl.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {FA30EC32-668B-4B60-B13C-4C84EB90C3C9} (ActiveID Control) - http://www.meetstream.com/activex/activeid1003/activeid.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.115,85.255.112.152
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - (no file)
0
Sorry I forgot blacklight don't work on 98.
Lets see if this tool, "rootkit revealer"' will run on 98 (may and may not). Download it form this link http://www.sysinternals.com/files/rootkitrevealer.zip Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log. It will be a long log but post all of it even if it takes two post.
0
Hello jabuck, I did use this one about a year ago, even though it is in Chinese.
IceSword
http://itmanagement.earthweb.com/columns/executive_tech/article.php/3512621
Download
http://www.xfocus.net/tools/200509/IceSword_en1.12.rar
IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn't a "click-here-to-delete-rootkits" product but a sophisticated discovery tool that can protect against sinister rootkits if used before they infect a machine. For Windows.
IceSword's documentation is entirely in Chinese, but that wouldn't necessarily stop dedicated IT administrators from downloading the software and trying it on a test Windows PC. I encourage security professionals to look into this further and let me know what you learn.
0
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
»»»»» Misc files
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
»»»»» Misc files
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
»»»»» Misc files
0
Lets try this.
Set the computer up to files hidden files as directed at this link Show hidden files
Reboot into safe mode by following the directions at this link if you need them How to boot into safe mode
From sase mode run Hijack This, place a check to the left of these items and press "fix checked":
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {E7DD4340-37DC-11D8-A4D5-0060673AC264} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.115,85.255.112.152 if fixwareout would not run do not remove this yet, if it did run you can remove it
Next while still in safe mode navigate to and delete these files if found.:
C:\WINDOWS\System32\yamue.exe
C:\WINDOWS\System32\idemlog.exe
C:\WINDOWS\system32\favset.exe
C:\WINDOWS\system32\filesafer23.exe
C:\WINDOWS\system32\dmfkc.exe
C:\WINDOWS\system32\howiper.exe
C:\WINDOWS\system32\pppcgm.exe
C:\WINDOWS\system32\sphlp32.exe
C:\WINDOWS\system32\csrvr.exe
C:\WINDOWS\system32\idesk.exe
C:\WINDOWS\system32\cswct.exe
C:\WINDOWS\system32\mscornet.exe
C:\WINDOWS\system32\A~NSISu.exe
idemlogobar.jpg Do a search for this and delete all instances
C:\WINDOWS\system32\idesk.conf
C:\WINDOWS\system32\close.bmp
C:\WINDOWS\system32\dating.bmp
C:\WINDOWS\system32\gambling.bmp
C:\WINDOWS\system32\insurange.bmp
C:\WINDOWS\system32\pharmacy.bmp
C:\WINDOWS\system32\xxx.bmp
Next while still in safe mode go to start>settings>control panel>internet options and:
clear history>yes
delete cookies>ok
delete files>ok.Navigate to and delete the contents(not the folder) of these folders if you have them:
C:\WINDOWS\Temp
C:\Temp
Reboot to normal mode and post you results if any.
0
Done. Fixed the items in HijackThis and erases howiper.exe from my system32 folder. Everything should be normal now?
0
Well only rebooted one time. I'll see over time if everything is running smoothly. Only had howiper.exe didn't have any of the other files. If I get the same problems again I'll update this post. Thanks for your help everyone !!
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
