Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log...about:blank etc


  • Please log in to reply
92 replies to this topic

#1 tiedyetriguy

tiedyetriguy

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 04 February 2005 - 08:41 PM

This forum has helped me out in the past. I'm hoping someone can work their magic again.

Adware (about:blank, only the best, et al) have taken over my operating system Windows XP. On startup and logging on, my desktop remains empty, and I can only access programs/files through Windows Task Manager. There is no start up menu on the desktop.

Thank you in advance for any help! I really appreciate your efforts.

Here's the log:


Logfile of HijackThis v1.97.7
Scan saved at 5:33:52 PM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\d3wa.exe
C:\WINDOWS\iprn.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#28129
F1 - win.ini: run=C:\WINDOWS\System32\soft.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C88F3E71-4E20-56A9-DB40-BFBD9CAC3434} - C:\WINDOWS\system32\mfczw.dll
O2 - BHO: (no name) - {E0B624F7-E0B4-27D7-2036-1510FF3DA698} - C:\WINDOWS\system32\mfczw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iprn.exe] C:\WINDOWS\iprn.exe
O4 - HKLM\..\Run: [109.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\109.tmp.exe 2 28129
O4 - HKLM\..\Run: [10E.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [10E.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129
O4 - HKLM\..\Run: [12.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [wbsena] c:\windows\system32\wbsena.exe
O4 - HKLM\..\Run: [12.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\d3wa.exe
O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide (HKLM)
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-step.com/distribution/cre8tiv3dix.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.blinkz.com/test/ImageUploader2.cab

BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 05 February 2005 - 01:23 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 05 February 2005 - 01:26 PM

The first step is to send an updated HijackThis log.

You have several infections, that are fixable, but I need to see the info that the new HijackThis will give us.

Be sure to use the newest version of HijackThis (version 1.99) and unzip it into a newly created folder (such as "C:\HJT) to ensure that backup files will be saved reliably .

Once you create the new log, please do not reboot until you hear back from me, since the infections will change names on us.

I will be notified automatically when you reply.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 tdtg

tdtg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 05 February 2005 - 02:38 PM

Here's the new log with the Hijack This 1.99:

Logfile of HijackThis v1.99.0
Scan saved at 11:36:55 AM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\iprn.exe
C:\WINDOWS\sdktu32.exe
C:\HijackThis Take2 about blank\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C88F3E71-4E20-56A9-DB40-BFBD9CAC3434} - C:\WINDOWS\system32\mfczw.dll
O2 - BHO: (no name) - {DF6EE72D-6DA9-D49D-AEDC-B86B1D310C21} - C:\WINDOWS\system32\mfczw.dll
O2 - BHO: (no name) - {E0B624F7-E0B4-27D7-2036-1510FF3DA698} - C:\WINDOWS\system32\mfczw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iprn.exe] C:\WINDOWS\iprn.exe
O4 - HKLM\..\Run: [109.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\109.tmp.exe 2 28129
O4 - HKLM\..\Run: [10E.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [10E.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129
O4 - HKLM\..\Run: [12.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [wbsena] c:\windows\system32\wbsena.exe
O4 - HKLM\..\Run: [12.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [2.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\2.tmp.exe 3 28129
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\d3wa.exe
O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe
O4 - HKLM\..\RunOnce: [sdktu32.exe] C:\WINDOWS\sdktu32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-step.com/distribution/cre8tiv3dix.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.blinkz.com/test/ImageUploader2.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\msou32.exe (file missing)

#5 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 05 February 2005 - 04:19 PM

Thanks

You have an infection that will take several messages to completely clean out.

Here are the first set of instructions.
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip AboutBuster to a convenient folder such as C:\AboutBuster.
    • Run AboutBuster.exe. Click OK, Update, Check For Update. Download the updates if they exist.
    • Click Exit as I do not want you to run the program yet.
  • Prepare cwsserviceremove.reg for use:
  • Print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
  • Reconfigure Windows XP to show hidden files:
    • Click Start. Open My Computer.
    • Select the Tools menu and click Folder Options. Select the View Tab.
    • Under the Hidden files and folders heading select "Show hidden files and folders".
    • Uncheck the "Hide protected operating system files (recommended)" option.
    • Uncheck the "Hide file extensions for known file types" option.
    • Click Yes to confirm. Click OK.
  • Boot into Safe Mode:
    • Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    • To get back to normal mode just restart the computer as you normally would.
  • Stop and disable the offending service:
    • Start | Run | type services.msc | OK
    • Scroll down the list until you find the service called Remote Procedure Call (RPC) Helper
    • Double-click on it and under the General tab click Stop to stop the service.
    • Change the Startup Type to Disabled.
    • Click Apply and then OK and close any open windows.
  • End the service process:
    • Press the Ctrl + Alt + Delete keys simultaneously to open the Task Manager.
    • Under the Processes tab find (insert Path from the ServiceFilter log here).
    • Click End Process.
    • File | Exit Task Manager
  • Fix malicious entries with HijackThis v1.98.2:
    • Please close all browsers and windows that you might have open.
    • Open HijackThis and click Scan.
    • Place checkmarks in the boxes next to these entries(if present):
      • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvogo.dll/sp.html#
        28129

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129

        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129

        R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#
        28129

        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#
        28129

        R3 - Default URLSearchHook is missing

        O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

        O2 - BHO: (no name) - {C88F3E71-4E20-56A9-DB40-BFBD9CAC3434} - C:\WINDOWS\system32\mfczw.dll

        O2 - BHO: (no name) - {DF6EE72D-6DA9-D49D-AEDC-B86B1D310C21} - C:\WINDOWS\system32\mfczw.dll

        O2 - BHO: (no name) - {E0B624F7-E0B4-27D7-2036-1510FF3DA698} - C:\WINDOWS\system32\mfczw.dll

        O4 - HKLM\..\Run: [iprn.exe] C:\WINDOWS\iprn.exe

        O4 - HKLM\..\Run: [109.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\109.tmp.exe 2 28129

        O4 - HKLM\..\Run: [10E.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129

        O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe

        O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe

        O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe

        O4 - HKLM\..\Run: [10E.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129

        O4 - HKLM\..\Run: [12.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001

        O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe

        O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

        O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

        O4 - HKLM\..\Run: [wbsena] c:\windows\system32\wbsena.exe

        O4 - HKLM\..\Run: [12.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001

        O4 - HKLM\..\Run: [2.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\2.tmp.exe 3 28129

        O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\d3wa.exe

        O4 - HKLM\..\RunOnce: [sdktu32.exe] C:\WINDOWS\sdktu32.exe

        O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe


        O15 - Trusted Zone: *.05p.com

        O15 - Trusted Zone: *.addictivetechnologies.com

        O15 - Trusted Zone: *.admin2cash.biz

        O15 - Trusted Zone: *.awmdabest.com

        O15 - Trusted Zone: *.bettersearch.biz

        O15 - Trusted Zone: *.blazefind.com

        O15 - Trusted Zone: *.c4tdownload.com

        O15 - Trusted Zone: *.clickspring.net

        O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

        O15 - Trusted Zone: *.flingstone.com

        O15 - Trusted Zone: *.frame.crazywinnings.com

        O15 - Trusted Zone: *.iframe.biz

        O15 - Trusted Zone: *.megapornix.com

        O15 - Trusted Zone: *.mt-download.com

        O15 - Trusted Zone: *.my-internet.info

        O15 - Trusted Zone: *.newiframe.biz

        O15 - Trusted Zone: *.overpro.com

        O15 - Trusted Zone: *.private-dialer.biz

        O15 - Trusted Zone: *.private-iframe.biz

        O15 - Trusted Zone: *.scoobidoo.com

        O15 - Trusted Zone: *.searchbarcash.com

        O15 - Trusted Zone: *.searchmiracle.com

        O15 - Trusted Zone: *.slotch.com

        O15 - Trusted Zone: *.sp2admin.biz

        O15 - Trusted Zone: *.sp2bleeped.biz

        O15 - Trusted Zone: *.static.topconverting.com

        O15 - Trusted Zone: *.windupdates.com

        O15 - Trusted Zone: *.xxxtoolbar.com

        O15 - Trusted Zone: *.05p.com (HKLM)

        O15 - Trusted Zone: *.awmdabest.com (HKLM)

        O15 - Trusted Zone: *.blazefind.com (HKLM)

        O15 - Trusted Zone: *.clickspring.net (HKLM)

        O15 - Trusted Zone: *.flingstone.com (HKLM)

        O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

        O15 - Trusted Zone: *.mt-download.com (HKLM)

        O15 - Trusted Zone: *.my-internet.info (HKLM)

        O15 - Trusted Zone: *.scoobidoo.com (HKLM)

        O15 - Trusted Zone: *.searchbarcash.com (HKLM)

        O15 - Trusted Zone: *.searchmiracle.com (HKLM)

        O15 - Trusted Zone: *.slotch.com (HKLM)

        O15 - Trusted Zone: *.static.topconverting.com (HKLM)

        O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

        O15 - Trusted IP range: 206.161.125.149

        O15 - Trusted IP range: 206.161.124.130 (HKLM)

        O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) -
        http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab

        O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

        O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\msou32.exe (file missing)
    • Once you have placed a checkmark next to each one of them, click Fix Checked.
  • Remove malicious programs:
    • Please remove these entries from Add/Remove Programs in the Control Panel(if present):none
  • Remove malicious folders:
    • Please delete these folders using Windows Explorer(if present):C:\WINDOWS\isrvs\

      C:\Program Files\Windows AdStatus\
  • Remove malicious files:
    • Please delete these files using Windows Explorer(if present):C:\WINDOWS\iprn.exe <-- this file

      C:\WINDOWS\d3wa.exe <-- this file

      C:\WINDOWS\sdktu32.exe <-- this file

      C:\WINDOWS\zeta.exe <-- this file

      C:\WINDOWS\msou32.exe <-- this file

      C:\WINDOWS\qvogo.dll <-- this file


      C:\WINDOWS\system32\mfczw.dll <-- this file

      C:\WINDOWS\System32\tibs5.exe <-- this file

      C:\WINDOWS\System32\gah95on6.exe <-- this file

      C:\WINDOWS\System32\msxmidi.exe <-- this file

      c:\windows\system32\wbsena.exe <-- this file
  • Remove the offending service:
    • Double-click the cwsserviceremove.reg file you downloaded at the beginning.
    • Answer Yes when prompted to add the contents to the registry.
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.
    • Double check to see if the folder C:\DOCUMENTSandSETTINGS\Mike\LOCALSETTINGS\Temp is empty.
  • Restart your computer normally to return to normal mode.
  • Restore (possibly) deleted files:
    • control.exe - Visit this page.
      • Download the version of control.exe that corresponds to your operating system.
      • If you are running Windows 95, 98, or ME copy it to C:\WINDOWS.
      • If you are running Windows 2000 copy it to C:\WINNT\system32.
      • If you are running Windows XP copy it to C:\WINDOWS\system32.
    • HOSTS - Download the Hoster.
      • Unzip Hoster to a convenient folder such as C:\Hoster.
      • Run Hoster.exe, click Restore Original Hosts and then click OK.
      • Click the X to exit the program.
      • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
    • SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from here and copy it to the default Spybot folder.
      • The normal path is C:\Program Files\Spybot - Search & Destroy.
    • shell.dll - Visit this page.
      • Download the version that corresponds to your operating system.
      • If you are running Windows 98 copy it to C:\WINDOWS\System.
      • If you are running Windows 2000 copy it to C:\WINNT\System32.
      • If you are running Windows XP copy it to C:\WINDOWS\System32.
  • Check ActiveX security settings:
    • In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled)
    • Script ActiveX controls marked safe for scripting (Prompt)
  • Run an online virus scan:
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.
Iíll follow up with the next set of instructions.

Thanks
daveai

Edited by daveai, 08 February 2005 - 12:26 AM.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#6 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 06 February 2005 - 04:39 PM

I am adding the text of a PM chain that we have been working to solve a 'missing desktop, start and taskbar' problem with this user.

[quote]Okay...next try this.

Reboot as if going to Safe Mode (using F8's) and select "last known good configuration"

See if that gets you up correctly.

If yes, reply back in the forum thread.

daveai

[quote]almost worked. After typing 'command', it brings a window that says 'it is not compatible with MS DOS or Windows.' I have the options to close or ignore. When I click on either...it disappears.

[quote]Okay...let's try this:

In Task Manager, have him go to File | New Task (Run...) and in the box that shows up type command and press Enter.

Then type:

sfc /scannow

[quote]it gives me a window that reads, "Windows cannot find 'explorer.exe'. Make sure you spelled it correctly, and try again. To search for a file, click on the Start button..."

[quote]Here is a suggestion from ne of the others here:

[quote] In Task Manager, have him go to File | New Task (Run...) and in the box that shows up type explorer.exe and press Enter.

See if that works.[/quote]

Let me know.
daveai

[quote]I ran the fixall script. It gave me a notice that it finished. It didn't reboot by computer. I had to do that myself. Looks like the end result was no change....still a desktop with missing icons, Start button and taskbar.

I'll stand by for more feedback. thanks!


[quote]Okay...thanks.

Since you can get online with IE, I have something for you to try.

Your problem (missing desktop icons, Start button and taskbar) is a known one, with a number of posts on the Microsoft discussion boards for Windows.

This is the fix I see recommended numerous times...it is a script you must allow to run on your system that will make changes to the registry.

http://www.kellys-korner-xp.com/regs_edits...ktop_fixall.vbs

After it completes, reboot.

I'll stand by to see how it goes.

daveai

[quote]I appreciate your help and any help from others to assist me in resolving this issue.

I am able to send PM's on this same computer. I can still use this same computer in a roundabout manner. I can boot Windows XP normally, but it loads my personal settings more slowly. My desktop background picture loads, but that's it. No desktop icons or start menu. By using CTRL ALT DEL, I can access the Windows Task Manager. I click on 'New Task' to run programs, access files or use Internet Explorer. For example, I was able to download AboutBuster and cwsserviceremove.

1 more bit of info: Right when the spyware was getting bad, a window opened up saying parts of Window XP was being interrupted and to insert the XP OS CD. This looked like a legit window (vs a spyware fake). I tried using the CD to repair anything, but it didn't work.

thanks. I look forward to any further advice,

Mike


[quote]Okay...I'm going to get some other Helpers looking at this problem with me.  I haven't seen it before (the lost desktop) but I'm sure some of the others may have.

It will probably be tomorrow before I get any feedback.  As soon as I hear something I'll send a message.

I'm sure we can work you through this problem, so hang in there.

Also, how are you sending these PM's?  Are you on a different computer?

Thanks
daveai

[quote]After tapping F8, I am able to choose the Safe Mode option, and log in my User settings. However when I arrive at the desktop, nothing is there, and I end up getting stuck.

I can move the mouse arrow around. It says 'Safe Mode' in each corner and ' Windows XP' across the top, but there are no desktop icons or startup menu.

help!

thanks, Mike/tiedyetriguy

[quote]Boot into Safe Mode, by tapping F8 repeatedly as you come up from a restart.

Then, if you can get to a desktop...run through as much as the fix as you can.

If not, get back to me.

Thanks
daveai

[quote]I'm having problems with step 4, reconfiguring Windows XP.

My XP has a difficult time loading my personal settings. My desktop is empty. The Start Menu isn't there.

I can only access the internet, programs and files by CTRL ALT DEL and using the Windows Task Manager. I'm not sure how to get to the 'Tools menu, Folder Options' of 'My Computer'. Is this possible from the Windows Task Manager?

thanks for any advice you can give,

Mike tiedyetriguy

[quote]I've responded.

It will take several posts to get you clean.

Send the logs I ask for when you finish the first sset of instructions.

Thanks
daveai

[quote]daveai,

I had my login ID incorrect (tdtg). Sorry if there was any confusion.

But I have posted a new Hijack This log v1.99, as you requested.

I'll be anxiously awaiting your response, to see if we can fix these infections.

thanks!

tiedyetriguy[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
[/quote]
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#7 tiedyetriguy

tiedyetriguy
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 07 February 2005 - 12:36 AM

I tried Safe Mode, and selected 'last known good configuration', but unfortunately it left me with the same empty desktop (desktop background photo, but no destop icons, toolbar or start menu).

#8 tiedyetriguy

tiedyetriguy
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 07 February 2005 - 12:13 PM

I will end process 'sdktu32.exe' and see if that helps. From the Task Manager it seems to be taking up a lot of the CPU (99 or so).

I think I can run a lot from the Task Manager. (ie: Hijack This etc). Should I try to run Hijack This and remove some of the unwanted items?

I just got stuck on #4, because I could not access the Start Menu and reveal the hidden files.

thanks!

I'll be away from my infected computer most of today, but will check this forum and PM's periodically.

#9 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 07 February 2005 - 01:32 PM

Thanks.

That task is certainly part of the infection, but ending it alone will not cure it, since there are other pieces still active. So you will remain infected.

Let's do this.

Send me a fresh HijackThis log, and I'll revisit the fix from before. I have a download link that we can use for the show hidden files step.

I'll repost the fix with any changes I see.

Then, we'll run as much of the fix as possible via Task Manager.

daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#10 tiedyetriguy

tiedyetriguy
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 07 February 2005 - 09:18 PM

sorry it took so long. here's a fresh log. I ended the process on 'sdktu32.exe'. Sorry for the delay. Once again I appreciate your help and patience.

Logfile of HijackThis v1.99.0
Scan saved at 6:17:06 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\iprn.exe
C:\WINDOWS\sdktu32.exe
C:\HijackThis Take2 about blank\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C88F3E71-4E20-56A9-DB40-BFBD9CAC3434} - C:\WINDOWS\system32\mfczw.dll
O2 - BHO: (no name) - {DF6EE72D-6DA9-D49D-AEDC-B86B1D310C21} - C:\WINDOWS\system32\mfczw.dll
O2 - BHO: (no name) - {E71DE0DD-A511-6A3A-D0FC-2A41EE33709D} - C:\WINDOWS\system32\mfczw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iprn.exe] C:\WINDOWS\iprn.exe
O4 - HKLM\..\Run: [109.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\109.tmp.exe 2 28129
O4 - HKLM\..\Run: [10E.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [10E.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129
O4 - HKLM\..\Run: [12.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001
O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [wbsena] c:\windows\system32\wbsena.exe
O4 - HKLM\..\Run: [12.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [2.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\2.tmp.exe 3 28129
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\d3wa.exe
O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe
O4 - HKLM\..\RunOnce: [sdktu32.exe] C:\WINDOWS\sdktu32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-step.com/distribution/cre8tiv3dix.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_4us.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD18DD5E-B398-452A-B22A-B54636BA9F0D} (Aurigma Image Uploader 2.5) - http://www.blinkz.com/test/ImageUploader2.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\msou32.exe (file missing)

#11 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 07 February 2005 - 11:26 PM

Thanks.

Before we launch off on this, I want to try to get the desktop back.

Do you have your Windows install cd's.

I've been talking this over with a colleague, and we believe you need to replace your explorer.exe file.

Please wait for instructions, which I'm working up.

Thanks

daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#12 tiedyetriguy

tiedyetriguy
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:06 PM

Posted 08 February 2005 - 12:30 AM

I've got my Reinstallation CD Windows XP Home Edition (service pack 1) from Dell.

#13 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 08 February 2005 - 12:32 AM

Okay...stand by...we are discussing the case now :thumbsup:

daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#14 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 08 February 2005 - 12:57 AM

Okay

I'm writing up a fix now.

1 -- In the meantime, please confirm that you can run AdAware and Spybot, and make sure they are updated. You don't have to scan yet.

2 -- Download the Pocket Killbox.

Unzip it to a convenient location and confirm that you can run it. The close it.

3 -- Also, download CWShredder.exe from: http://cwshredder.net/bin/CWShredder.exe

Put it in a convenient location.

4 -- I already know that you can run HijackThis.

I should have the instructions ready to go by the time you get back to me.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#15 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 08 February 2005 - 01:57 AM

Okay...the consensus is that it is the infections that are causing the desktop problems. So we are going to delete as much stuff as we can with these steps.

First...please do two more downloads, and save the files where you can find them with 'Task Manager > File > New Task > Browse.'

1 -- Download the file called http://www.mvps.org/winhelp2002/DelDomains.inf]DelDomains.inf ://http://www.mvps.org/winhelp2002/Del...omains.inf ://http://www.mvps.org/winhelp2002/Del...omains.inf ://http://www.mvps.org/winhelp2002/Del...omains.inf to your desktop.

Right-click on the deldomains.inf file and select 'Install'

2 -- Please download About:Buster from here: http://tools.zerosrealm.com/AboutBuster.zip.

Once it is downloaded extract it to c:\aboutbuster. Do NOT use it yet


Next, copy these instructions into a Notepad file, and save it as a 'txt' file somewhere you can find it in safe mode.

You will not be able to view this page in Safe Mode.




1 -- Boot into Safe Mode. Open the Notepad file with these instructions in it.



2 -- Open Task Manger, and select the Processes tab. Use End Process on the following

C:\WINDOWS\iprn.exe
C:\WINDOWS\sdktu32.exe


3 -- Run CWShredder.exe and press FIX

Do it again.


4 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvogo.dll/sp.html#
28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qvogo.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvogo.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#
28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qvogo.dll/sp.html#
28129

R3 - Default URLSearchHook is missing

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll

O2 - BHO: (no name) - {C88F3E71-4E20-56A9-DB40-BFBD9CAC3434} - C:\WINDOWS\system32\mfczw.dll

O2 - BHO: (no name) - {DF6EE72D-6DA9-D49D-AEDC-B86B1D310C21} - C:\WINDOWS\system32\mfczw.dll

O2 - BHO: (no name) - {E71DE0DD-A511-6A3A-D0FC-2A41EE33709D} - C:\WINDOWS\system32\mfczw.dll

O4 - HKLM\..\Run: [iprn.exe] C:\WINDOWS\iprn.exe

O4 - HKLM\..\Run: [109.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\109.tmp.exe 2 28129

O4 - HKLM\..\Run: [10E.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129

O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe

O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe

O4 - HKLM\..\Run: [10E.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\10E.tmp.exe 0 28129

O4 - HKLM\..\Run: [12.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001

O4 - HKLM\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe

O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O4 - HKLM\..\Run: [wbsena] c:\windows\system32\wbsena.exe

O4 - HKLM\..\Run: [12.tmp.exe] C:\DOCUME~1\Mike\LOCALS~1\Temp\12.tmp.exe 1 10001

O4 - HKLM\..\Run: [2.tmp] C:\DOCUME~1\Mike\LOCALS~1\Temp\2.tmp.exe 3 28129

O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i

O4 - HKLM\..\RunOnce: [d3wa.exe] C:\WINDOWS\d3wa.exe

O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe

O4 - HKLM\..\RunOnce: [sdktu32.exe] C:\WINDOWS\sdktu32.exe

O4 - HKCU\..\Run: [Web Service] C:\WINDOWS\System32\msxmidi.exe

O15 - Trusted Zone: *.05p.com

O15 - Trusted Zone: *.addictivetechnologies.com

O15 - Trusted Zone: *.admin2cash.biz

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.bettersearch.biz

O15 - Trusted Zone: *.blazefind.com

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.frame.crazywinnings.com

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.megapornix.com

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.my-internet.info

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.private-dialer.biz

O15 - Trusted Zone: *.private-iframe.biz

O15 - Trusted Zone: *.scoobidoo.com

O15 - Trusted Zone: *.searchbarcash.com

O15 - Trusted Zone: *.searchmiracle.com

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2bleeped.biz

O15 - Trusted Zone: *.static.topconverting.com

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.05p.com (HKLM)

O15 - Trusted Zone: *.awmdabest.com (HKLM)

O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted Zone: *.clickspring.net (HKLM)

O15 - Trusted Zone: *.flingstone.com (HKLM)

O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O15 - Trusted Zone: *.mt-download.com (HKLM)

O15 - Trusted Zone: *.my-internet.info (HKLM)

O15 - Trusted Zone: *.scoobidoo.com (HKLM)

O15 - Trusted Zone: *.searchbarcash.com (HKLM)

O15 - Trusted Zone: *.searchmiracle.com (HKLM)

O15 - Trusted Zone: *.slotch.com (HKLM)

O15 - Trusted Zone: *.static.topconverting.com (HKLM)

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)

O15 - Trusted IP range: 206.161.125.149

O15 - Trusted IP range: 206.161.124.130 (HKLM)

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\msou32.exe (file missing)

Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


5 -- KillBox Step
  • download step is done
  • unzip step is done

  • Disconnect from internet, and shut down all running programs[/b]
  • Double-click on KillBox.exe, and keep it open
  • Keep Notepad open!
  • Start Task manager (ctrl+alt+del) and end task explorer.exe if you can find it
  • Ok warning and close task manager (desktop dissapears now) ONLY KillBox and Notepad should be open now.
  • In Killbox Click "Delete on Reboot"
  • Paste this file into the top "Full Path of File to Delete" box.

    • C:\Windows\RegProt.ini
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 8-12 above for these files:
    C:\Windows\blank.html

    C:\WINDOWS\d3wa.exe

    C:\WINDOWS\iprn.exe

    C:\WINDOWS\msou32.exe

    C:\WINDOWS\qvogo.dll

    C:\WINDOWS\sdktu32.exe

    C:\WINDOWS\zeta.exe


    C:\WINDOWS\System32\gah95on6.exe

    C:\WINDOWS\system32\mfczw.dll

    C:\WINDOWS\System32\msxmidi.exe

    C:\WINDOWS\System32\tibs5.exe

    c:\windows\system32\wbsena.exe

    C:\WINDOWS\isrvs\desktop.exe

    C:\WINDOWS\isrvs\ffisearch.exe

    C:\WINDOWS\isrvs\sysupd.dll

    C:\WINDOWS\isrvs\


  • Click "Replace on Reboot"
  • Paste this file into the top "Full Path of File to Delete" box.

    C:\Program Files\Windows AdStatus\
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!"
    message then just restart manually.
6 -- Next, clean out all the temporary files and cookies on your system. Use Task Manger to run: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.


7 -- This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

Post the log file in your next reply


8 -- Run a full scan with AdAware and fix everything it will let you.


9 -- If you have it on your system, run a full scan with Spybot and fix everything it will let you.


10 -- Now, reboot normally and run at least two of these online virus scans (Or more if you wish.), reboot after each scan:

RAV<<<Add a check by 'Autoclean', leave everything else as is.

eTrust<<<'Cure' whatever is found, then delete if unsuccessful

Housecall<<<Put on 'Autoclean' and delete what it can't clean.

Panda ActiveScan<<<Accept default settings


11 -- Create a fresh HijackThis log and send it to me in a reply to this message, along with the AboutBuster log..

Good luck
daveai

Edited by daveai, 08 February 2005 - 01:58 AM.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users