Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I have done many virus scans, and anti spywares.
O15 - Trusted Zone: http://www.neededware.com
It keeps appearing over and over no matter how many times i remove it from hijack.
Also, whenever I do a hijack scan it would freeze at O15 right before it would list neededware.. Not sure if this is important or not.
Here's a fresh hijack log
Logfile of HijackThis v1.99.1
Scan saved at 2:07:10 PM
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Open HJT, and click on 'Open misc tools section', then click on "Delete a file on reboot', a File Open window will appear. Copy/Paste the following into it.
C:\windows\System32\fluo.exe
Then click on Open, and you will be prompted to reboot, select No at this time. Do the same for this.
C:\windows\System32\jlrf.exe
Rescan with HJT, and remove these items.
O4 - HKLM\..\Run: [fluo] C:\windows\System32\fluo.exe
O4 - HKLM\..\Run: [jlrf] C:\windows\System32\jlrf.exe
O4 - HKCU\..\Run: [wwfw] C:\PROGRA~1\COMMON~1\wwfw\wwfwm.exe
O15 - Trusted Zone: http://www.neededware.com
Reboot into Safe Mode.
Delete all files and folders located in these folders.
C:\Windows\Prefetch
C:\Windows\Temp
C:\Documents and Settings\username\Local Settings\Temp
Delete this folder.
C:\Program Files\Common Files\wwfw
Then reboot into Normal mode, and then enable System Restore. Please post a new HJT log.
You may be interested in SpywareBlaster, it puts sites like neededware into the Restricted Zone.
Thanks for responding.
I did everything you said except
O15 - Trusted Zone: http://www.neededware.com
wasn't there. It seems to appear and disappear by itself thats why I thought the coincident "freezing" at O15 trusted zone enumeration had something to do with it.
And also I did as you said about doing another scan/log and fluo was never deleted.
Logfile of HijackThis v1.99.1
Scan saved at 10:09:39 PM
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Sorry double post.
I managed to add neededware.com to restricted zone using the spyware blaster you recommended. Does this mean I won't be receiving anymore popups and such?
No, that isn't a double post, just an addon.
There is a neat little thing I like about the Restricted and Trusted Zones. That is the fact that a website cannot exist in both zones at the same time. When a site is in the Restricted, and the settings are at least their default level, they are restricted so much as not able to put so much as a cookie on you. Yes, it can stop some popups, but not all.
When in the Trusted, and the Trusted settings are at the default, all ActiveX controls (they are the DPF's or Downloaded Program Files in HJT) are enabled for them, you are not prompted if you want to download and install things, it just happens. That is why neededware kept wanting to be there.
You have something new here, along with "fluo", please download About:Buster.
Please 'Delete on reboot' as before with this. It is possible the file is already gone, it just put it's startup before it was deleted on reboot as it was running hidden when you removed the startup with HJT.
C:\windows\System32\fluo.exe
Rescan with HJT, and remove these with all internet browsers and Windows Explorer windows closed.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\YOOn\LOCALS~1\Temp\se.dll/sp.html
O4 - HKLM\..\Run: [fluo] C:\windows\System32\fluo.exe
Close HJT and open About:Buster and have it update itself, close for now.
Reboot into Safe Mode. Set Folder Options to show all files. This is important as you may not see this file (C:\DOCUME~1\YOOn\LOCALS~1\Temp\se.dll) unless you do.
Delete all files and folders located in these folders.
C:\Windows\Prefetch
C:\Windows\Temp
C:\Documents and Settings\YOOn\Local Settings\Temp
If you want to make sure those files are all deleted in that last folder, copy/paste this commands into the Start\Run window, one line at a time. attrib -h -s -r C:\Documents and Settings\YOOn\Local Settings\Temp\*.*
del C:\Documents and Settings\YOOn\Local Settings\Temp\*.*
Then reboot in Normal mode, and run About:Buster twice, back to back.
fluo.exe doesnt appear on the hijack but
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
does now.
And the about:buster gives me an error "run-time error '5'"
del C:\Documents and Settings\YOOn\Local Settings\Temp\*.*
Gives me an error when I try to start/run it.
Last edited by DayDreamer; 4th August 2005 at 01:06.
I deleted everything+the folder C:\Documents and Settings\YOOn\Local Settings\Temp\
but can't delete the Application Data, History, temporary internet files folders which I am sure isn't suppose to be deleted.
can't delete the Application Data, History, temporary internet files folders which I am sure isn't suppose to be deleted
No, you shouldn't. I only suggested the files contained in this folder.
C:\Documents and Settings\YOOn\Local Settings\Temp
Apparently About:Buster is corrupt, as the error code means 'Invalid procedure call or argument'.
That will automatically appear when using Msconfig. The next time you boot, you will get the message box about things being changed at startup, check the box and click on OK, or just remove it with HJT.
Gives me an error when I try to start/run it.
Do this instead, take both of those dos commands, and copy\paste them into Notepad, Make sure they are still two seperate lines. Then go to Edit and select Save As.
Then in the new window, where it says 'Save as Type' change it from (Text Documents) to (All files), use this name, "rundel.bat". Then go to where you saved it (My Documents?) and doubleclick it. A dos window will appear and go away, it is then done.
Not all are bad, just a location of temp files, for use by bad and good things. Malware will store things there, to infect you.
C:\DOCUME~1\YOOn\LOCALS~1\Temp\se.dll/sp.html
This was there.
Legit applications will store things there, for their use. After all, they are only temp files, and will only clutter up the system as they are looked at as the system starts up, always good to clean it out.
