Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log: PLEASE HELP!


  • Please log in to reply
7 replies to this topic

#1 krosati

krosati

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 17 April 2005 - 01:43 AM

I've used severa; programs to remove spyware and HJers but this one is not for the timid or faint of heart. I really need help here and I hope you folks can!


Logfile of HijackThis v1.99.1
Scan saved at 1:33:56 AM, on 04/17/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\D3EX.EXE
C:\WINDOWS\CRPD.EXE
C:\WINDOWS\SYSTEM\APPCQ.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\MFCCU.EXE
C:\WINDOWS\SYSTEM\ADDXU.EXE
C:\WINDOWS\SYSTEM\SDKUN32.EXE
C:\WINDOWS\SDKEK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\MSINPUT\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPCLIENT.EXE
C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMON32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VERIZON ONLINE\CONTROLPAD\CPAD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\D3CW.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE
C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
C:\WINDOWS\SYSTEM\ADDXU.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\APPCQ.EXE
C:\PROGRAM FILES\MOTIVE\ASSTCOMMON\MOTIVEDIRECTORY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\BIN\MAD.EXE
C:\WINDOWS\CRPD.EXE
C:\WINDOWS\SYSTEM\NETXR.EXE
C:\WINDOWS\SYSTEM\NETXR.EXE
C:\WINDOWS\MSCP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\NETXR.EXE
C:\WINDOWS\SYSTEM\SYSNK32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PROFILES\KROSATI\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F1 - win.ini: run=HPFsched
O2 - BHO: Class - {7C16C7E5-9CFA-188C-1391-6B30852F9DA6} - C:\WINDOWS\NTFA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Verizon Control Pad] C:\PROGRAM FILES\VERIZON ONLINE\CONTROLPAD\CPAD.exe #SPLASH
O4 - HKLM\..\Run: [vptray] c:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [wDym6qE] C:\GPFVGSD.EXE
O4 - HKLM\..\Run: [D3CW.EXE] C:\WINDOWS\SYSTEM\D3CW.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] c:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [D3EX.EXE] C:\WINDOWS\D3EX.EXE /s
O4 - HKLM\..\RunServices: [CRPD.EXE] C:\WINDOWS\CRPD.EXE /s
O4 - HKLM\..\RunServices: [APPCQ.EXE] C:\WINDOWS\SYSTEM\APPCQ.EXE /s
O4 - HKLM\..\RunServices: [MFCCU.EXE] C:\WINDOWS\MFCCU.EXE /s
O4 - HKLM\..\RunServices: [ADDXU.EXE] C:\WINDOWS\SYSTEM\ADDXU.EXE /s
O4 - HKLM\..\RunServices: [SDKUN32.EXE] C:\WINDOWS\SYSTEM\SDKUN32.EXE /s
O4 - HKLM\..\RunServices: [SDKEK.EXE] C:\WINDOWS\SDKEK.EXE /s
O4 - HKLM\..\RunServices: [NETXR.EXE] C:\WINDOWS\SYSTEM\NETXR.EXE /s
O4 - HKLM\..\RunServices: [MSCP.EXE] C:\WINDOWS\MSCP.EXE /s
O4 - HKLM\..\RunServices: [SYSNK32.EXE] C:\WINDOWS\SYSTEM\SYSNK32.EXE /s
O4 - HKLM\..\RunOnce: [MOTIVEBTN] C:\Program Files\Verizon Online\SupportCenter\bin\renbut.bat
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - HKCU\..\Run: [RIZO] C:\PROGRAM FILES\COMMON FILES\RIZO\RIZOM.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - User Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - User Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - User Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
O4 - User Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\PROGRAM FILES\VERIZON ONLINE\CONTROLPAD\Misc\a_menu.exe
O12 - Plugin for .zip: c:\PROGRA~1\INTERN~1\PLUGINS\NPHELP.DLL
O12 - Plugin for .exe: c:\PROGRA~1\INTERN~1\PLUGINS\NPHELP.DLL
O12 - Plugin for .bin: c:\PROGRA~1\INTERN~1\PLUGINS\NPHELP.DLL
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://ras.moonri.com/l.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:58 PM

Posted 17 April 2005 - 02:55 AM

Hi krosati and welcome to the BC forums. Let's start out with this:
  • Download DLLCompare.
  • Double-click on DllCompare.exe to run the program.
  • Click "Run Locate.com" and it will scan your system for files.
  • Once the scan has finished click "Compare" to compare your files to valid Windows files.
  • Once it has finished comparing click "Make a Log of what was found".
  • Click "Yes" at the View Log file? prompt to view the log.
  • Copy and paste the entire log into this topic.
  • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
  • Click "Exit" to exit DLLCompare.
I will review the log when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 krosati

krosati
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 18 April 2005 - 10:37 PM

Is this what we were looking for?
I have a few programs installed thet I have used to get rid of several issues in the past. Let me know what else I may need.
Thanks again for looking into this for me.



* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :thumbsup:"
________________________________________________

1,494 items found: 1,494 files, 0 directories.
Total of file sizes: 212,695,721 bytes 202.84 M

--------------------End log---------------------

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:58 PM

Posted 19 April 2005 - 12:25 AM

Hi krosati. Well, let's get to work here. Please proceed with the following steps in order.

Step #1

Download Pocket Killbox and unzip it to your desktop.

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CleanUp! and install it but do not run it yet.

Step #2

Double-click on KillBox.exe to launch the program.
  • Paste this file into the top Full Path of File to Delete field.
    • C:\WINDOWS\system\mdadn.dll
  • Click the Delete File button which looks like a stop sign.
  • Click No at the Pending Operations prompt.
Repeat the above steps for each of the following files. The only difference is that you will be substituting the file listed in the first step with each of the files below. C:\WINDOWS\NTFA.DLL
C:\GPFVGSD.EXE
C:\WINDOWS\SYSTEM\D3CW.EXE
C:\WINDOWS\D3EX.EXE
C:\WINDOWS\CRPD.EXE
C:\WINDOWS\SYSTEM\APPCQ.EXE
C:\WINDOWS\MFCCU.EXE
C:\WINDOWS\SYSTEM\ADDXU.EXE
C:\WINDOWS\SYSTEM\SDKUN32.EXE
C:\WINDOWS\SDKEK.EXE
C:\WINDOWS\SYSTEM\NETXR.EXE
C:\WINDOWS\MSCP.EXE
C:\WINDOWS\SYSTEM\SYSNK32.EXE

I couldn't find any information on Rizo so if you do not know what this is then include it to:C:\PROGRAM FILES\COMMON FILES\RIZO\RIZOM.EXE
After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so.

Step #3

Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Now reboot your computer to finish the fix.

Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mdadn.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7C16C7E5-9CFA-188C-1391-6B30852F9DA6} - C:\WINDOWS\NTFA.DLL
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [wDym6qE] C:\GPFVGSD.EXE
O4 - HKLM\..\Run: [D3CW.EXE] C:\WINDOWS\SYSTEM\D3CW.EXE
O4 - HKLM\..\RunServices: [D3EX.EXE] C:\WINDOWS\D3EX.EXE /s
O4 - HKLM\..\RunServices: [CRPD.EXE] C:\WINDOWS\CRPD.EXE /s
O4 - HKLM\..\RunServices: [APPCQ.EXE] C:\WINDOWS\SYSTEM\APPCQ.EXE /s
O4 - HKLM\..\RunServices: [MFCCU.EXE] C:\WINDOWS\MFCCU.EXE /s
O4 - HKLM\..\RunServices: [ADDXU.EXE] C:\WINDOWS\SYSTEM\ADDXU.EXE /s
O4 - HKLM\..\RunServices: [SDKUN32.EXE] C:\WINDOWS\SYSTEM\SDKUN32.EXE /s
O4 - HKLM\..\RunServices: [SDKEK.EXE] C:\WINDOWS\SDKEK.EXE /s
O4 - HKLM\..\RunServices: [NETXR.EXE] C:\WINDOWS\SYSTEM\NETXR.EXE /s
O4 - HKLM\..\RunServices: [MSCP.EXE] C:\WINDOWS\MSCP.EXE /s
O4 - HKLM\..\RunServices: [SYSNK32.EXE] C:\WINDOWS\SYSTEM\SYSNK32.EXE /s
O4 - HKCU\..\Run: [RIZO] C:\PROGRAM FILES\COMMON FILES\RIZO\RIZOM.EXE (if you don't know what this is)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://ras.moonri.com/l.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply buuton to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 krosati

krosati
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 21 April 2005 - 11:36 PM

I have downloaded the suggested programs. However, when I try to install CWshredder, I get an error message "oleacc.dll is missing"

I tried finding this file by googling it but no luck. did I do something wrong?

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:58 PM

Posted 22 April 2005 - 12:25 AM

Hi krosati. That file is specific to win98 1st edition. See this MS link to install the file: http://support.microsoft.com/default.aspx?...KB;en-us;810684

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 krosati

krosati
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 25 April 2005 - 12:52 PM

I'm on my PC at work now since I cannot get windows to load at home.
When it boots up, it appears to be running normally with the exception it takes longer (due to the numerous amounts of junk loading up)
When I get to the login screen, I log on and it tells me Exploere has caused an invalid page fault at ??????.
I click close program and it just sits there idle, no Windows.
I press ALT/CONTROL/DELETE and I have 30 plus processes running (those listed in my origianl post I assume)

I have tried rebooting in safe mode as well but to no avail. I get the same problems.
Any suggestions on how to remove some of the junk via DOS so I can at least get windows running again?
Doing a DIR on drive C:\ shows me many EXE's and DLL's loaded on the same 2 days I was on the computer recently. I thought I could remove some of them manually but decided against it since some may be valid.
I have another computer at home running XP for the kids but I will use it to connect tonight.
Thanks again for your patience and help.

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:58 PM

Posted 25 April 2005 - 03:51 PM

Hi krosati. Well, let's try this.

Start in DOS Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the DOS Mode Only (or Command Prompt Only I can't remember) menu item.
  • Press the Enter key.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\system\mdadn.dll
C:\WINDOWS\NTFA.DLL
C:\GPFVGSD.EXE
C:\WINDOWS\SYSTEM\D3CW.EXE
C:\WINDOWS\D3EX.EXE
C:\WINDOWS\CRPD.EXE
C:\WINDOWS\SYSTEM\APPCQ.EXE
C:\WINDOWS\MFCCU.EXE
C:\WINDOWS\SYSTEM\ADDXU.EXE
C:\WINDOWS\SYSTEM\SDKUN32.EXE
C:\WINDOWS\SDKEK.EXE
C:\WINDOWS\SYSTEM\NETXR.EXE
C:\WINDOWS\MSCP.EXE
C:\WINDOWS\SYSTEM\SYSNK32.EXE

OK. Reboot your computer normally. Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Now reboot your computer to finish the fix.

Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users