Help
Thanks grinler !!
Attached File(s)
-
hijackthis.log (8.04K)
Number of downloads: 12
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
- You cannot start a new topic
-
This topic is locked
log file Goya for grinler
Back to top
#2
- Member
-
- Group: Members
- Posts: 123
- Joined: 05-April 04
- Location:Whitby. Ont.
Posted 21 October 2004 - 08:02 AM
Goya, welcome.
Please print this out and follow ALL these directions carefully.
This is a new CoolWebSearch (CWS) hijack infection and is hard to remove.
http://www.silentrunners.org/sr_cwsremoval.html
Note: Every time you reboot the files multiply and change names. This process is like exterminating cockroaches.
If you insist on running file (music) sharing applications like KaZaa then you will continually be infected by all kinds of nasties in the downloaded files.
This is the new prefered method of virus/worm/trojan spreaders to get into your system and there will be no detection nor removal capability for days/weeks.
The spreaders count on this time to do their nastieness and create new nasties that are not detected.
Go to Add/Remove Programs and uninstall it.
Please download the tool called about:buster from
http://www.downloads.subratam.org/AboutBuster.zip
or
http://www.majorgeeks.com/download4289.html
Unzip it to your desktop.
In WinME/XP turn off System Restore.
http://www.arnoldco.com/help/html/disable_restore.html
Then reboot into Safe Mode by tapping F8 key repeatedly during bootup.
Enable System Restore after the infection is removed.
Double click aboutbuster.exe, click OK, click Start, then click OK.
This will scan your computer for the bad files and delete them.
Now start Hijack this and tick the boxes next to these items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\nqwlb.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\system32\nqwlb.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\nqwlb.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {489CB8A5-F200-EAC7-EB4D-CADBFD62480E} - C:\WINDOWS\mfcak32.dll
O4 - HKLM\..\Run: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\kazaa\kazaa.exe /SYSTRAY
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running the tool.
Install the prevention protection below and help your friends from being infected on the Internet.
Empty the Recycle Bin.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite
Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.
{user} is the User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.
Download and install WinPatrol.
http://www.winpatrol.com
Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm
Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html
Please print this out and follow ALL these directions carefully.
This is a new CoolWebSearch (CWS) hijack infection and is hard to remove.
http://www.silentrunners.org/sr_cwsremoval.html
Note: Every time you reboot the files multiply and change names. This process is like exterminating cockroaches.
If you insist on running file (music) sharing applications like KaZaa then you will continually be infected by all kinds of nasties in the downloaded files.
This is the new prefered method of virus/worm/trojan spreaders to get into your system and there will be no detection nor removal capability for days/weeks.
The spreaders count on this time to do their nastieness and create new nasties that are not detected.
Go to Add/Remove Programs and uninstall it.
Please download the tool called about:buster from
http://www.downloads.subratam.org/AboutBuster.zip
or
http://www.majorgeeks.com/download4289.html
Unzip it to your desktop.
In WinME/XP turn off System Restore.
http://www.arnoldco.com/help/html/disable_restore.html
Then reboot into Safe Mode by tapping F8 key repeatedly during bootup.
Enable System Restore after the infection is removed.
Double click aboutbuster.exe, click OK, click Start, then click OK.
This will scan your computer for the bad files and delete them.
Now start Hijack this and tick the boxes next to these items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\nqwlb.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://C:\WINDOWS\system32\nqwlb.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\nqwlb.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nqwlb.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {489CB8A5-F200-EAC7-EB4D-CADBFD62480E} - C:\WINDOWS\mfcak32.dll
O4 - HKLM\..\Run: [iegx32.exe] C:\WINDOWS\system32\iegx32.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\kazaa\kazaa.exe /SYSTRAY
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running the tool.
Install the prevention protection below and help your friends from being infected on the Internet.
Empty the Recycle Bin.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite
Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.
{user} is the User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.
Download and install WinPatrol.
http://www.winpatrol.com
Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm
Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html
member
Share this topic:
Page 1 of 1
- You cannot start a new topic
-
This topic is locked