Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help get rid of spyware/about:blank etc.


  • Please log in to reply
15 replies to this topic

#1 fase

fase

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 July 2005 - 09:17 AM

i formatted recently but the problems have started again. i have the spybot search & destroy tea timer installed and i'm being bombarded with endless of registry changing. i keep blocking them but they keep coming up. also each time i check task manager is running bogue .exe's like ntnn.exe or skduh.exe. i find them and delete them but new ones keep coming up and the tea timer pop ups are driving me insane... can someone please help??? :thumbsup:

BC AdBot (Login to Remove)

 


#2 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 July 2005 - 11:38 AM

any help would be highly appreciated.......



please help? :thumbsup:

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:23 PM

Posted 07 July 2005 - 12:36 PM

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis Download Site

Save this file into the directory you made previously and then run the program named hijackthis.exe. When the program opens click on the Config button, then click on the Misc Tools button, and click on the Check for update online button. When it completes checking/applying updates press the back button.

Now click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post here and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial with screenshots on using HijackThis you can click on the link below:

How to use HijackThis to remove Browser Hijackers, Malware, & Spyware

#4 diego88

diego88

  • Members
  • 135 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 07 July 2005 - 12:44 PM

Hello fase !


Please see this posting below by Moderator Scarlett and do if you have the same version of Spybot 1.4
You will still be able to stay up to date with the older version of spybot per Moderator Leurgy.


Posted: Jun 20 2005, 08:53 AM


Bleeping Diva


Group: Moderator
Posts: 3661
Member No.: 228
Joined: 25-April 04







My solution. With credit going to igonuts2 and Leurgy.


I did a complete uninstall of Spybot 1.4

First and importantly I de-activated Tea - Timer and S & D Helper.
Un-installed Spybot 1.4 via Add/Remove
Removed Tea-Timer from startups

Removed all files and folders


Then I went back and installed the previous version.
Spybot 1.3

http://www.pcworld.com/downloads/file_desc...id,22262,00.asp

This is only for your Spybot fix follow Grinler's advice to continue (HiJack This!!)

Good luck :thumbsup:

#5 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 July 2005 - 03:27 PM

here is what i got... only problem was i couldn't update cuz it wouldn't connect... even though i entered the proper proxy information.



Logfile of HijackThis v1.99.1
Scan saved at 11:23:22 PM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\sdkqw.exe
C:\downloaded programs\bleep-spyware tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.12.12.2:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC1508A7-C941-9AC5-7AB9-369A6853C28F} - C:\WINDOWS\system32\winqr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [javatm.exe] C:\WINDOWS\system32\javatm.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [iebt32.exe] C:\WINDOWS\system32\iebt32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118698986359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sdkqw.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



thanks for the help.

#6 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 July 2005 - 04:47 PM

yo Grinler, where you at? :thumbsup:

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:23 PM

Posted 07 July 2005 - 05:04 PM

Download cwshredder 2.12 from here:

http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#8 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 July 2005 - 06:55 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:50:35 AM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\javatm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wisptis.exe
C:\WINDOWS\system32\sdkqw.exe
C:\downloaded programs\bleep-spyware tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.12.12.2:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC1508A7-C941-9AC5-7AB9-369A6853C28F} - C:\WINDOWS\system32\winqr32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [javatm.exe] C:\WINDOWS\system32\javatm.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [iebt32.exe] C:\WINDOWS\system32\iebt32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118698986359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sdkqw.exe" /s (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:23 PM

Posted 07 July 2005 - 07:58 PM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
Do not use it yet.

* Download CWShredder. Don't let it run yet!

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

First, we will make your hidden files and folders visible.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide file extensions for known file types.
* Click Yes to confirm.
* Click OK.

*Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

*Start hijackthis and click scan and put a checkmark next to the following items:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqeva.dll/sp.html#73077
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AC1508A7-C941-9AC5-7AB9-369A6853C28F} - C:\WINDOWS\system32\winqr32.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [javatm.exe] C:\WINDOWS\system32\javatm.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [iebt32.exe] C:\WINDOWS\system32\iebt32.exe
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sdkqw.exe" /s (file missing)


*Close all open windows except hijackthis and click 'Fix Checked'.

*Navigate to and delete the following files if present:

C:\WINDOWS\system32\dqeva.dll
C:\WINDOWS\system32\winqr32.dll
C:\WINDOWS\system32\javatm.exe
C:\Program Files\AntivirusGold\
C:\WINDOWS\system32\iebt32.exe


*Start Aboutbuster and let it scan. When the scan is done and you choose exit, it will automatically create a log in the same folder where aboutbuster is in.

*Start Cwshredder and click FIX

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

*Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Perform an onlinescan with Bitdefender and/or Housecall (check here autodelete) and let it delete everything it is finding.
!!! Don't forget this step!!!!!

Download next regfix: Fix_Protocol_zones_ranges
Doubleclick on it and when it asks you if you want to add the contents to the registry, click yes/ok

*Post a new hijackthis-log + log aboutbuster which you'll find in the aboutbuster-folder

#10 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 08 July 2005 - 06:05 AM

Grinler, when i run the Hijackthis scan in safe mode, i don't get the same results as when i run them regularly. some of the items you are telling me to remove don't show up in safe mode, particularly some of the R1's. do i just forget about those?

also, now all of a sudden i have bogus internet bookmarks saved in my favorites. :thumbsup:

help!

#11 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 08 July 2005 - 06:21 AM

oh man, i can't even use the HSFix in safe mode... when i click yes to add the info to the registry i get an error and it doesn't work. now i'm really confused. :thumbsup: :flowers: :trumpet: :inlove: :cool:

#12 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:05:23 PM

Posted 08 July 2005 - 07:57 AM

Disable Tea Timer when working with HiJack This.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#13 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 08 July 2005 - 09:22 AM

Disable Tea Timer when working with HiJack This.

well, it's not like tea timer is running in safe mode anyway... but thanks.

so what should i do???

:thumbsup:

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:23 PM

Posted 08 July 2005 - 11:12 AM

Just continue on with the fix as much as you can then reboot and post a new log

#15 fase

fase
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 17 July 2005 - 08:51 PM

ok, i'm back. i think i should tell you that i ran both virus scans but the second one didn't let me delete everything it found because they were in use. :thumbsup:

as i said before, i wasn't able to add the first reg fix, i got an error. the second one - after the virus scans - did work.

here are the logs:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\downloaded programs\bleep-spyware tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ltcib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ltcib.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ltcib.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ltcib.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Class - {F53A477A-7B1C-2657-7904-F2611BC95C35} - C:\WINDOWS\apixm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iekq32.exe] C:\WINDOWS\system32\iekq32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118698986359
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15C3E5E3-DECB-4083-B1BF-66085A94F95B}: NameServer = 12.12.12.2,12.12.12.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\sdkqw.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe



AboutBuster 5.0 reference file 28
Scan started on [7/8/2005] at [1:54:30 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Directx.log:bvgrof
Removed Stream! C:\WINDOWS\DtcInstall.log:ldvdxd
Removed Stream! C:\WINDOWS\FaxSetup.log:uwywih
Removed Stream! C:\WINDOWS\jkmgx.dat:hrqibo
Removed Stream! C:\WINDOWS\MedCtrOC.log:zsjnwz
Removed Stream! C:\WINDOWS\msmqinst.log:ssttqb
Removed Stream! C:\WINDOWS\QTFont.qfn:etnuxy
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:ovjkhc
Removed Stream! C:\WINDOWS\VPC32.INI:vyibum
Removed Stream! C:\WINDOWS\win.ini:nzagwx
Removed Stream! C:\WINDOWS\Windows Update.log:hzqzmo
Removed Stream! C:\WINDOWS\winnt.bmp:vfyvyu
Removed Stream! C:\WINDOWS\WMSysPrx.prx:ogribw
Removed Stream! C:\WINDOWS\_default.pif:aalhjt
Removed Stream! C:\WINDOWS\_default.pif:epqpil
------------------------------------------------
Removed File! : C:\Windows\eyisa.dat
Removed File! : C:\Windows\jkmgx.dat
Removed File! : C:\Windows\System32\acziw.dll
Removed File! : C:\Windows\System32\dsqbq.dat
Removed File! : C:\Windows\System32\nxjdy.dll
Removed File! : C:\Windows\System32\uqcei.dll
Removed File! : C:\Windows\System32\vstjm.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:54:56 PM


AboutBuster 5.0 reference file 28
Scan started on [7/8/2005] at [2:12:27 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Directx.log:mdcuxm
Removed Stream! C:\WINDOWS\_default.pif:ghvllc
------------------------------------------------
Removed File! : C:\Windows\System32\kxpok.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:12:49 PM


AboutBuster 5.0 reference file 30
Scan started on [7/18/2005] at [12:31:27 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:emgivo
Removed Stream! C:\WINDOWS\_default.pif:gdigxn
Removed Stream! C:\WINDOWS\_default.pif:llvvbm
Removed Stream! C:\WINDOWS\_default.pif:mclfeo
Removed Stream! C:\WINDOWS\_default.pif:pzschi
Removed Stream! C:\WINDOWS\_default.pif:wqqyyb
Removed Stream! C:\WINDOWS\_default.pif:xqjdkv
------------------------------------------------
Removed File! : C:\Windows\System32\ltcib.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:31:52 AM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users