Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan I Can't Remove, Computer Freezes Up


  • Please log in to reply
28 replies to this topic

#1 boop1967

boop1967

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 November 2005 - 01:18 PM

I have a trojan I cannot remove and need some help. I would have liked to follow your instructions completely to prepare to post the log, but I can't use my computer any more. It keeps freezing up.

My operating system is Windows ME.
I have AVG antivirus (free edition) and VCom (SystemSuite 5) antivirus.
I have NetDefense firewall.
I have AdsGone 2004.
I have TrojanHunter4.
I have Spybot Search & Destroy.
I have Ad-Aware SE Personal.
I have Spyware Blaster (just got it, so haven't used it yet - not familiar with it).
And I have Hijack This.

With the exception of Spyware Blaster, I have run and tried everything listed above.
As stated previously, I am not able to use my computer properly, so I was unable to use the other software suggested by your site as preparation to posting. I want to, but I can't.

Here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 12:04:45 PM, on 11/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: Class - {7B30F33D-4323-2428-D014-8BE0A8C8C8ED} - C:\WINDOWS\APPBU32.DLL
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\APPSR.DLL
O2 - BHO: Class - {A21DD4D8-BF05-767B-3F29-8EE39B7AA18D} - C:\WINDOWS\SYSTEM\WINTU.DLL
O2 - BHO: Class - {1544124E-0E58-9403-ED07-241C6B1E7CF1} - C:\WINDOWS\SYSTEM\APPFF.DLL
O2 - BHO: Class - {7BB24CAD-6CA1-2285-99FF-C427B6BA75DD} - C:\WINDOWS\SYSTEM\ADDFF.DLL
O2 - BHO: Class - {9E38F756-1C94-A683-BC63-98538C6D8819} - C:\WINDOWS\SYSTEM\APILF32.DLL
O2 - BHO: Class - {10388970-0592-BCC4-1BCB-3147DA75A2F6} - C:\WINDOWS\SYSTEM\NETQN.DLL
O2 - BHO: Class - {19B5C29D-9B4F-678C-449E-EDD9FE141A0B} - C:\WINDOWS\SYSTEM\IENF.DLL
O2 - BHO: Class - {4A35DEC1-AC71-E2CC-AA75-FE86733D32EC} - C:\WINDOWS\ADDGY.DLL
O2 - BHO: Class - {7DB11ADC-366B-476F-A044-6EDCAD101014} - C:\WINDOWS\APIIO32.DLL
O2 - BHO: Class - {D2B24D87-699F-16C6-2875-242B4CB88477} - C:\WINDOWS\SDKIM.DLL
O2 - BHO: Class - {0C53C50B-D818-F1CB-C013-1D3F181EDD6C} - C:\WINDOWS\NTDK32.DLL
O2 - BHO: Class - {0CDF6D82-5712-7179-76F5-8BCB61F5E50A} - C:\WINDOWS\APIYS32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CRAS32.EXE] C:\WINDOWS\SYSTEM\CRAS32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CRYS.EXE] C:\WINDOWS\SYSTEM\CRYS.EXE /s
O4 - HKLM\..\RunServices: [ADDRO.EXE] C:\WINDOWS\ADDRO.EXE /s
O4 - HKLM\..\RunServices: [D3BU.EXE] C:\WINDOWS\SYSTEM\D3BU.EXE /s
O4 - HKLM\..\RunServices: [CRTB.EXE] C:\WINDOWS\SYSTEM\CRTB.EXE /s
O4 - HKLM\..\RunServices: [APIKI32.EXE] C:\WINDOWS\SYSTEM\APIKI32.EXE /s
O4 - HKLM\..\RunServices: [ATLME.EXE] C:\WINDOWS\SYSTEM\ATLME.EXE /s
O4 - HKLM\..\RunServices: [MFCRX.EXE] C:\WINDOWS\MFCRX.EXE /s
O4 - HKLM\..\RunServices: [CRSP.EXE] C:\WINDOWS\CRSP.EXE /s
O4 - HKLM\..\RunServices: [APPZY32.EXE] C:\WINDOWS\SYSTEM\APPZY32.EXE /s
O4 - HKLM\..\RunServices: [SYSHV32.EXE] C:\WINDOWS\SYSHV32.EXE /s
O4 - HKLM\..\RunServices: [SYSRP32.EXE] C:\WINDOWS\SYSRP32.EXE /s
O4 - HKLM\..\RunServices: [ADDPR32.EXE] C:\WINDOWS\ADDPR32.EXE /s
O4 - HKLM\..\RunServices: [JAVABK.EXE] C:\WINDOWS\JAVABK.EXE /s
O4 - HKLM\..\RunServices: [D3RW.EXE] C:\WINDOWS\SYSTEM\D3RW.EXE /s
O4 - HKLM\..\RunServices: [CRFL32.EXE] C:\WINDOWS\CRFL32.EXE /s
O4 - HKLM\..\RunServices: [SYSFU32.EXE] C:\WINDOWS\SYSFU32.EXE /s
O4 - HKLM\..\RunServices: [D3CY32.EXE] C:\WINDOWS\D3CY32.EXE /s
O4 - HKLM\..\RunServices: [MSTC32.EXE] C:\WINDOWS\MSTC32.EXE /s
O4 - HKLM\..\RunServices: [ADDZO32.EXE] C:\WINDOWS\SYSTEM\ADDZO32.EXE /s
O4 - HKLM\..\RunServices: [APIUO32.EXE] C:\WINDOWS\APIUO32.EXE /s
O4 - HKLM\..\RunServices: [APIYS32.EXE] C:\WINDOWS\APIYS32.EXE /s
O4 - HKLM\..\RunServices: [D3SA.EXE] C:\WINDOWS\SYSTEM\D3SA.EXE /s
O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE /s
O4 - HKLM\..\RunServices: [APIDL32.EXE] C:\WINDOWS\SYSTEM\APIDL32.EXE /s
O4 - HKLM\..\RunServices: [SDKGD32.EXE] C:\WINDOWS\SYSTEM\SDKGD32.EXE /s
O4 - HKLM\..\RunServices: [D3ZS.EXE] C:\WINDOWS\SYSTEM\D3ZS.EXE /s
O4 - HKLM\..\RunServices: [ADDWJ.EXE] C:\WINDOWS\ADDWJ.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab






Thank you. I am new here, so I apologize if I screwed up in any way. :thumbsup:

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:38 AM

Posted 25 November 2005 - 02:42 PM

My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was

It may look like a lot below - follow the instructions as carefully as possible and everything should be kool!
________________________________________________

Download CWShredder Here to its own folder.
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click here to download AboutBuster created by Rubber Ducky
Unzip AboutBuster to the desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit".

Click here to download cwsserviceremove.zip : http://castlecops.com/zx/flrman1/cwsserviceremove.zip
Unzip it to your desktop and have it ready to run later.

Download CleanUp!
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK

    DO NOT run it yet!
Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.

Make sure that you can see hidden files (Windows XP).
  • Click "Start".
  • Click "My Computer".
  • Select the "Tools" menu and click "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Click "Yes" to confirm.
  • Uncheck the "Hide file extensions for known file types".
  • Click "OK".

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

Network Security Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry.......Answer yes when asked to have it's contents added to the registry

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: Class - {7B30F33D-4323-2428-D014-8BE0A8C8C8ED} - C:\WINDOWS\APPBU32.DLL
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\APPSR.DLL
O2 - BHO: Class - {A21DD4D8-BF05-767B-3F29-8EE39B7AA18D} - C:\WINDOWS\SYSTEM\WINTU.DLL
O2 - BHO: Class - {1544124E-0E58-9403-ED07-241C6B1E7CF1} - C:\WINDOWS\SYSTEM\APPFF.DLL
O2 - BHO: Class - {7BB24CAD-6CA1-2285-99FF-C427B6BA75DD} - C:\WINDOWS\SYSTEM\ADDFF.DLL
O2 - BHO: Class - {9E38F756-1C94-A683-BC63-98538C6D8819} - C:\WINDOWS\SYSTEM\APILF32.DLL
O2 - BHO: Class - {10388970-0592-BCC4-1BCB-3147DA75A2F6} - C:\WINDOWS\SYSTEM\NETQN.DLL
O2 - BHO: Class - {19B5C29D-9B4F-678C-449E-EDD9FE141A0B} - C:\WINDOWS\SYSTEM\IENF.DLL
O2 - BHO: Class - {4A35DEC1-AC71-E2CC-AA75-FE86733D32EC} - C:\WINDOWS\ADDGY.DLL
O2 - BHO: Class - {7DB11ADC-366B-476F-A044-6EDCAD101014} - C:\WINDOWS\APIIO32.DLL
O2 - BHO: Class - {D2B24D87-699F-16C6-2875-242B4CB88477} - C:\WINDOWS\SDKIM.DLL
O2 - BHO: Class - {0C53C50B-D818-F1CB-C013-1D3F181EDD6C} - C:\WINDOWS\NTDK32.DLL
O2 - BHO: Class - {0CDF6D82-5712-7179-76F5-8BCB61F5E50A} - C:\WINDOWS\APIYS32.DLL
O4 - HKLM\..\Run: [CRAS32.EXE] C:\WINDOWS\SYSTEM\CRAS32.EXE
O4 - HKLM\..\RunServices: [CRYS.EXE] C:\WINDOWS\SYSTEM\CRYS.EXE /s
O4 - HKLM\..\RunServices: [ADDRO.EXE] C:\WINDOWS\ADDRO.EXE /s
O4 - HKLM\..\RunServices: [D3BU.EXE] C:\WINDOWS\SYSTEM\D3BU.EXE /s
O4 - HKLM\..\RunServices: [CRTB.EXE] C:\WINDOWS\SYSTEM\CRTB.EXE /s
O4 - HKLM\..\RunServices: [APIKI32.EXE] C:\WINDOWS\SYSTEM\APIKI32.EXE /s
O4 - HKLM\..\RunServices: [ATLME.EXE] C:\WINDOWS\SYSTEM\ATLME.EXE /s
O4 - HKLM\..\RunServices: [MFCRX.EXE] C:\WINDOWS\MFCRX.EXE /s
O4 - HKLM\..\RunServices: [CRSP.EXE] C:\WINDOWS\CRSP.EXE /s
O4 - HKLM\..\RunServices: [APPZY32.EXE] C:\WINDOWS\SYSTEM\APPZY32.EXE /s
O4 - HKLM\..\RunServices: [SYSHV32.EXE] C:\WINDOWS\SYSHV32.EXE /s
O4 - HKLM\..\RunServices: [SYSRP32.EXE] C:\WINDOWS\SYSRP32.EXE /s
O4 - HKLM\..\RunServices: [ADDPR32.EXE] C:\WINDOWS\ADDPR32.EXE /s
O4 - HKLM\..\RunServices: [JAVABK.EXE] C:\WINDOWS\JAVABK.EXE /s
O4 - HKLM\..\RunServices: [D3RW.EXE] C:\WINDOWS\SYSTEM\D3RW.EXE /s
O4 - HKLM\..\RunServices: [CRFL32.EXE] C:\WINDOWS\CRFL32.EXE /s
O4 - HKLM\..\RunServices: [SYSFU32.EXE] C:\WINDOWS\SYSFU32.EXE /s
O4 - HKLM\..\RunServices: [D3CY32.EXE] C:\WINDOWS\D3CY32.EXE /s
O4 - HKLM\..\RunServices: [MSTC32.EXE] C:\WINDOWS\MSTC32.EXE /s
O4 - HKLM\..\RunServices: [ADDZO32.EXE] C:\WINDOWS\SYSTEM\ADDZO32.EXE /s
O4 - HKLM\..\RunServices: [APIUO32.EXE] C:\WINDOWS\APIUO32.EXE /s
O4 - HKLM\..\RunServices: [APIYS32.EXE] C:\WINDOWS\APIYS32.EXE /s
O4 - HKLM\..\RunServices: [D3SA.EXE] C:\WINDOWS\SYSTEM\D3SA.EXE /s
O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE /s
O4 - HKLM\..\RunServices: [APIDL32.EXE] C:\WINDOWS\SYSTEM\APIDL32.EXE /s
O4 - HKLM\..\RunServices: [SDKGD32.EXE] C:\WINDOWS\SYSTEM\SDKGD32.EXE /s
O4 - HKLM\..\RunServices: [D3ZS.EXE] C:\WINDOWS\SYSTEM\D3ZS.EXE /s
1O4 - HKLM\..\RunServices: [ADDWJ.EXE] C:\WINDOWS\ADDWJ.EXE /s
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab


Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system\vxeav.dll
C:\WINDOWS\SYSTEM\IETie.dll
C:\WINDOWS\SYSTEM\CRAS32.EXE
C:\WINDOWS\SYSTEM\CRYS.EXE
C:\WINDOWS\ADDRO.EXE
C:\WINDOWS\SYSTEM\D3BU.EXE
C:\WINDOWS\SYSTEM\CRTB.EXE
C:\WINDOWS\SYSTEM\APIKI32.EXE
C:\WINDOWS\SYSTEM\ATLME.EXE
C:\WINDOWS\MFCRX.EXE
C:\WINDOWS\CRSP.EXE
C:\WINDOWS\SYSTEM\APPZY32.EXE
C:\WINDOWS\SYSHV32.EXE
C:\WINDOWS\SYSRP32.EXE
C:\WINDOWS\ADDPR32.EXE
C:\WINDOWS\JAVABK.EXE
C:\WINDOWS\SYSTEM\D3RW.EXE
C:\WINDOWS\CRFL32.EXE
C:\WINDOWS\SYSFU32.EXE
C:\WINDOWS\SYSFU32.EXE
C:\WINDOWS\MSTC32.EXE
C:\WINDOWS\SYSTEM\ADDZO32.EXE
C:\WINDOWS\APIUO32.EXE
C:\WINDOWS\APIUO32.EXE
C:\WINDOWS\SYSTEM\D3SA.EXE
C:\WINDOWS\WINXZ32.EXE
C:\WINDOWS\SYSTEM\APIDL32.EXE
C:\WINDOWS\SYSTEM\SDKGD32.EXE
C:\WINDOWS\SYSTEM\D3ZS.EXE
C:\WINDOWS\ADDWJ.EXE


Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Then go to Start > Run and type [b]%temp%[/b] in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Next run AboutBuster. Double click Aboutbuster.exe, click OK, click Start then click OK. This will scan your computer for the bad files and delete them.

Now, run CWShredder. Just click on the cwshredder.exe then click Fix (Not Scan only) and let it do its thing.

Now run cleanup!
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.
Click Here to do a Panda online scan
  • If it asks you install active x controls click Yes
  • if a box comes up telling you to install the program also click Yes
  • Make sure you tick Disinfect automatically under Scan Options
  • complete the scan and post the log that you can save afterwards in the same way you did the HJT log.
  • It is normal for it to take a reasonable time to complete
Please download hoster from the link below.
http://www.funkytoad.com/download/hoster.zip
  • Unzip Hoster.zip
  • Open Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
  • Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given
If you have Spybot S&D installed you will also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html
Download SDHelper.dll
Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

Reboot and post another HijackThis log please.

Davod

#3 boop1967

boop1967
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 November 2005 - 03:00 PM

David,

Thank you for your quick reply. Perhaps I should have been more clear.

Right now I am using someone else's laptop because I can't get online with my computer. Sometimes it even freezes during startup. I can't get on there to successfully download anything. Once in a while it lets me, and of course the home page is hijacked. Then it may or may not let me proceed to other sites. It usually freezes up before I can do anything at all.

I was able to run Hijack this on my computer in safe mode and save the log to a disk to use on this laptop.

Is there anything I can do to get to the point that I can get online on mine? I keep ctrl-alt-deleting to close the unwanted programs, but they reload as fast as I close them and ultimately freeze me up.

Please let me know if there is anything I can delete in hijack this or otherwise. I will continue to try to get online on mine while I await your response, but I must say I am not optimistic.

Thanks again... Betty

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:38 AM

Posted 25 November 2005 - 03:03 PM

Sorry, big apology - i should have read what you said! :thumbsup: :flowers:

Ok, boot into safe mode:

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: Class - {7B30F33D-4323-2428-D014-8BE0A8C8C8ED} - C:\WINDOWS\APPBU32.DLL
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\APPSR.DLL
O2 - BHO: Class - {A21DD4D8-BF05-767B-3F29-8EE39B7AA18D} - C:\WINDOWS\SYSTEM\WINTU.DLL
O2 - BHO: Class - {1544124E-0E58-9403-ED07-241C6B1E7CF1} - C:\WINDOWS\SYSTEM\APPFF.DLL
O2 - BHO: Class - {7BB24CAD-6CA1-2285-99FF-C427B6BA75DD} - C:\WINDOWS\SYSTEM\ADDFF.DLL
O2 - BHO: Class - {9E38F756-1C94-A683-BC63-98538C6D8819} - C:\WINDOWS\SYSTEM\APILF32.DLL
O2 - BHO: Class - {10388970-0592-BCC4-1BCB-3147DA75A2F6} - C:\WINDOWS\SYSTEM\NETQN.DLL
O2 - BHO: Class - {19B5C29D-9B4F-678C-449E-EDD9FE141A0B} - C:\WINDOWS\SYSTEM\IENF.DLL
O2 - BHO: Class - {4A35DEC1-AC71-E2CC-AA75-FE86733D32EC} - C:\WINDOWS\ADDGY.DLL
O2 - BHO: Class - {7DB11ADC-366B-476F-A044-6EDCAD101014} - C:\WINDOWS\APIIO32.DLL
O2 - BHO: Class - {D2B24D87-699F-16C6-2875-242B4CB88477} - C:\WINDOWS\SDKIM.DLL
O2 - BHO: Class - {0C53C50B-D818-F1CB-C013-1D3F181EDD6C} - C:\WINDOWS\NTDK32.DLL
O2 - BHO: Class - {0CDF6D82-5712-7179-76F5-8BCB61F5E50A} - C:\WINDOWS\APIYS32.DLL
O4 - HKLM\..\Run: [CRAS32.EXE] C:\WINDOWS\SYSTEM\CRAS32.EXE
O4 - HKLM\..\RunServices: [CRYS.EXE] C:\WINDOWS\SYSTEM\CRYS.EXE /s
O4 - HKLM\..\RunServices: [ADDRO.EXE] C:\WINDOWS\ADDRO.EXE /s
O4 - HKLM\..\RunServices: [D3BU.EXE] C:\WINDOWS\SYSTEM\D3BU.EXE /s
O4 - HKLM\..\RunServices: [CRTB.EXE] C:\WINDOWS\SYSTEM\CRTB.EXE /s
O4 - HKLM\..\RunServices: [APIKI32.EXE] C:\WINDOWS\SYSTEM\APIKI32.EXE /s
O4 - HKLM\..\RunServices: [ATLME.EXE] C:\WINDOWS\SYSTEM\ATLME.EXE /s
O4 - HKLM\..\RunServices: [MFCRX.EXE] C:\WINDOWS\MFCRX.EXE /s
O4 - HKLM\..\RunServices: [CRSP.EXE] C:\WINDOWS\CRSP.EXE /s
O4 - HKLM\..\RunServices: [APPZY32.EXE] C:\WINDOWS\SYSTEM\APPZY32.EXE /s
O4 - HKLM\..\RunServices: [SYSHV32.EXE] C:\WINDOWS\SYSHV32.EXE /s
O4 - HKLM\..\RunServices: [SYSRP32.EXE] C:\WINDOWS\SYSRP32.EXE /s
O4 - HKLM\..\RunServices: [ADDPR32.EXE] C:\WINDOWS\ADDPR32.EXE /s
O4 - HKLM\..\RunServices: [JAVABK.EXE] C:\WINDOWS\JAVABK.EXE /s
O4 - HKLM\..\RunServices: [D3RW.EXE] C:\WINDOWS\SYSTEM\D3RW.EXE /s
O4 - HKLM\..\RunServices: [CRFL32.EXE] C:\WINDOWS\CRFL32.EXE /s
O4 - HKLM\..\RunServices: [SYSFU32.EXE] C:\WINDOWS\SYSFU32.EXE /s
O4 - HKLM\..\RunServices: [D3CY32.EXE] C:\WINDOWS\D3CY32.EXE /s
O4 - HKLM\..\RunServices: [MSTC32.EXE] C:\WINDOWS\MSTC32.EXE /s
O4 - HKLM\..\RunServices: [ADDZO32.EXE] C:\WINDOWS\SYSTEM\ADDZO32.EXE /s
O4 - HKLM\..\RunServices: [APIUO32.EXE] C:\WINDOWS\APIUO32.EXE /s
O4 - HKLM\..\RunServices: [APIYS32.EXE] C:\WINDOWS\APIYS32.EXE /s
O4 - HKLM\..\RunServices: [D3SA.EXE] C:\WINDOWS\SYSTEM\D3SA.EXE /s
O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE /s
O4 - HKLM\..\RunServices: [APIDL32.EXE] C:\WINDOWS\SYSTEM\APIDL32.EXE /s
O4 - HKLM\..\RunServices: [SDKGD32.EXE] C:\WINDOWS\SYSTEM\SDKGD32.EXE /s
O4 - HKLM\..\RunServices: [D3ZS.EXE] C:\WINDOWS\SYSTEM\D3ZS.EXE /s
1O4 - HKLM\..\RunServices: [ADDWJ.EXE] C:\WINDOWS\ADDWJ.EXE /s
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab


Make sure that you can see hidden files (Windows XP).
  • Click "Start".
  • Click "My Computer".
  • Select the "Tools" menu and click "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Click "Yes" to confirm.
  • Uncheck the "Hide file extensions for known file types".
  • Click "OK".

Find and manually delete these files:

C:\WINDOWS\system\vxeav.dll
C:\WINDOWS\SYSTEM\IETie.dll
C:\WINDOWS\SYSTEM\CRAS32.EXE
C:\WINDOWS\SYSTEM\CRYS.EXE
C:\WINDOWS\ADDRO.EXE
C:\WINDOWS\SYSTEM\D3BU.EXE
C:\WINDOWS\SYSTEM\CRTB.EXE
C:\WINDOWS\SYSTEM\APIKI32.EXE
C:\WINDOWS\SYSTEM\ATLME.EXE
C:\WINDOWS\MFCRX.EXE
C:\WINDOWS\CRSP.EXE
C:\WINDOWS\SYSTEM\APPZY32.EXE
C:\WINDOWS\SYSHV32.EXE
C:\WINDOWS\SYSRP32.EXE
C:\WINDOWS\ADDPR32.EXE
C:\WINDOWS\JAVABK.EXE
C:\WINDOWS\SYSTEM\D3RW.EXE
C:\WINDOWS\CRFL32.EXE
C:\WINDOWS\SYSFU32.EXE
C:\WINDOWS\SYSFU32.EXE
C:\WINDOWS\MSTC32.EXE
C:\WINDOWS\SYSTEM\ADDZO32.EXE
C:\WINDOWS\APIUO32.EXE
C:\WINDOWS\APIUO32.EXE
C:\WINDOWS\SYSTEM\D3SA.EXE
C:\WINDOWS\WINXZ32.EXE
C:\WINDOWS\SYSTEM\APIDL32.EXE
C:\WINDOWS\SYSTEM\SDKGD32.EXE
C:\WINDOWS\SYSTEM\D3ZS.EXE
C:\WINDOWS\ADDWJ.EXE


Reboot and see if you can get into normal mode

Can you download programs to a disc/floppy from the laptop, and bring them across to your computer?

David

Edited by D-Trojanator, 25 November 2005 - 03:04 PM.


#5 boop1967

boop1967
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 November 2005 - 04:53 PM

David,

I tried restarting my computer. At first it started up, what appeared to be successfully. I even looked in the ctrl-alt-delete to see if any of those bogus programs were running, and everything looked normal. But when I attempted to go online, the home page was still hijacked by about blank. When I tried to go elsewhere, it froze up. I restarted once more and it froze during startup. So here I am again.

I am going to attempt to download programs to a floppy to install on my computer. Should I try them in order that you mentioned above in your first response? I hope none are too large to fit on a floppy. That's the only media I have.

I'll go download some and check back on your answer... Betty

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:38 AM

Posted 25 November 2005 - 05:27 PM

Ok, yes run them in that order -

For priority do about:buster, CWShredder and hoster.

Don;t worry about panda for now!

David

#7 boop1967

boop1967
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 25 November 2005 - 07:39 PM

Hello again,

I ran CWShredder, AboutBuster, and Hoster. I did not understand the last line in your instructions about Hoster that said, "Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given."

Anyway, what's next? Do you want another Hijackthis log? Or should I run any other apps yet such as cwsservice, cleanup, or killbox?

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:38 AM

Posted 26 November 2005 - 04:19 AM

Do the cwsservice and do the killbox step:

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system\vxeav.dll
C:\WINDOWS\SYSTEM\IETie.dll
C:\WINDOWS\SYSTEM\CRAS32.EXE
C:\WINDOWS\SYSTEM\CRYS.EXE
C:\WINDOWS\ADDRO.EXE
C:\WINDOWS\SYSTEM\D3BU.EXE
C:\WINDOWS\SYSTEM\CRTB.EXE
C:\WINDOWS\SYSTEM\APIKI32.EXE
C:\WINDOWS\SYSTEM\ATLME.EXE
C:\WINDOWS\MFCRX.EXE
C:\WINDOWS\CRSP.EXE
C:\WINDOWS\SYSTEM\APPZY32.EXE
C:\WINDOWS\SYSHV32.EXE
C:\WINDOWS\SYSRP32.EXE
C:\WINDOWS\ADDPR32.EXE
C:\WINDOWS\JAVABK.EXE
C:\WINDOWS\SYSTEM\D3RW.EXE
C:\WINDOWS\CRFL32.EXE
C:\WINDOWS\SYSFU32.EXE
C:\WINDOWS\SYSFU32.EXE
C:\WINDOWS\MSTC32.EXE
C:\WINDOWS\SYSTEM\ADDZO32.EXE
C:\WINDOWS\APIUO32.EXE
C:\WINDOWS\APIUO32.EXE
C:\WINDOWS\SYSTEM\D3SA.EXE
C:\WINDOWS\WINXZ32.EXE
C:\WINDOWS\SYSTEM\APIDL32.EXE
C:\WINDOWS\SYSTEM\SDKGD32.EXE
C:\WINDOWS\SYSTEM\D3ZS.EXE
C:\WINDOWS\ADDWJ.EXE


Then do the Hijackthis step if you haven't done it already:

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\vxeav.dll/sp.html#93256
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: Class - {7B30F33D-4323-2428-D014-8BE0A8C8C8ED} - C:\WINDOWS\APPBU32.DLL
O2 - BHO: Class - {A3F9FD31-3DFB-13C1-8E7D-BCEAF75A15DA} - C:\WINDOWS\APPSR.DLL
O2 - BHO: Class - {A21DD4D8-BF05-767B-3F29-8EE39B7AA18D} - C:\WINDOWS\SYSTEM\WINTU.DLL
O2 - BHO: Class - {1544124E-0E58-9403-ED07-241C6B1E7CF1} - C:\WINDOWS\SYSTEM\APPFF.DLL
O2 - BHO: Class - {7BB24CAD-6CA1-2285-99FF-C427B6BA75DD} - C:\WINDOWS\SYSTEM\ADDFF.DLL
O2 - BHO: Class - {9E38F756-1C94-A683-BC63-98538C6D8819} - C:\WINDOWS\SYSTEM\APILF32.DLL
O2 - BHO: Class - {10388970-0592-BCC4-1BCB-3147DA75A2F6} - C:\WINDOWS\SYSTEM\NETQN.DLL
O2 - BHO: Class - {19B5C29D-9B4F-678C-449E-EDD9FE141A0B} - C:\WINDOWS\SYSTEM\IENF.DLL
O2 - BHO: Class - {4A35DEC1-AC71-E2CC-AA75-FE86733D32EC} - C:\WINDOWS\ADDGY.DLL
O2 - BHO: Class - {7DB11ADC-366B-476F-A044-6EDCAD101014} - C:\WINDOWS\APIIO32.DLL
O2 - BHO: Class - {D2B24D87-699F-16C6-2875-242B4CB88477} - C:\WINDOWS\SDKIM.DLL
O2 - BHO: Class - {0C53C50B-D818-F1CB-C013-1D3F181EDD6C} - C:\WINDOWS\NTDK32.DLL
O2 - BHO: Class - {0CDF6D82-5712-7179-76F5-8BCB61F5E50A} - C:\WINDOWS\APIYS32.DLL
O4 - HKLM\..\Run: [CRAS32.EXE] C:\WINDOWS\SYSTEM\CRAS32.EXE
O4 - HKLM\..\RunServices: [CRYS.EXE] C:\WINDOWS\SYSTEM\CRYS.EXE /s
O4 - HKLM\..\RunServices: [ADDRO.EXE] C:\WINDOWS\ADDRO.EXE /s
O4 - HKLM\..\RunServices: [D3BU.EXE] C:\WINDOWS\SYSTEM\D3BU.EXE /s
O4 - HKLM\..\RunServices: [CRTB.EXE] C:\WINDOWS\SYSTEM\CRTB.EXE /s
O4 - HKLM\..\RunServices: [APIKI32.EXE] C:\WINDOWS\SYSTEM\APIKI32.EXE /s
O4 - HKLM\..\RunServices: [ATLME.EXE] C:\WINDOWS\SYSTEM\ATLME.EXE /s
O4 - HKLM\..\RunServices: [MFCRX.EXE] C:\WINDOWS\MFCRX.EXE /s
O4 - HKLM\..\RunServices: [CRSP.EXE] C:\WINDOWS\CRSP.EXE /s
O4 - HKLM\..\RunServices: [APPZY32.EXE] C:\WINDOWS\SYSTEM\APPZY32.EXE /s
O4 - HKLM\..\RunServices: [SYSHV32.EXE] C:\WINDOWS\SYSHV32.EXE /s
O4 - HKLM\..\RunServices: [SYSRP32.EXE] C:\WINDOWS\SYSRP32.EXE /s
O4 - HKLM\..\RunServices: [ADDPR32.EXE] C:\WINDOWS\ADDPR32.EXE /s
O4 - HKLM\..\RunServices: [JAVABK.EXE] C:\WINDOWS\JAVABK.EXE /s
O4 - HKLM\..\RunServices: [D3RW.EXE] C:\WINDOWS\SYSTEM\D3RW.EXE /s
O4 - HKLM\..\RunServices: [CRFL32.EXE] C:\WINDOWS\CRFL32.EXE /s
O4 - HKLM\..\RunServices: [SYSFU32.EXE] C:\WINDOWS\SYSFU32.EXE /s
O4 - HKLM\..\RunServices: [D3CY32.EXE] C:\WINDOWS\D3CY32.EXE /s
O4 - HKLM\..\RunServices: [MSTC32.EXE] C:\WINDOWS\MSTC32.EXE /s
O4 - HKLM\..\RunServices: [ADDZO32.EXE] C:\WINDOWS\SYSTEM\ADDZO32.EXE /s
O4 - HKLM\..\RunServices: [APIUO32.EXE] C:\WINDOWS\APIUO32.EXE /s
O4 - HKLM\..\RunServices: [APIYS32.EXE] C:\WINDOWS\APIYS32.EXE /s
O4 - HKLM\..\RunServices: [D3SA.EXE] C:\WINDOWS\SYSTEM\D3SA.EXE /s
O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE /s
O4 - HKLM\..\RunServices: [APIDL32.EXE] C:\WINDOWS\SYSTEM\APIDL32.EXE /s
O4 - HKLM\..\RunServices: [SDKGD32.EXE] C:\WINDOWS\SYSTEM\SDKGD32.EXE /s
O4 - HKLM\..\RunServices: [D3ZS.EXE] C:\WINDOWS\SYSTEM\D3ZS.EXE /s
1O4 - HKLM\..\RunServices: [ADDWJ.EXE] C:\WINDOWS\ADDWJ.EXE /s
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab


Then reboot and post new HJT log

David

#9 boop1967

boop1967
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 26 November 2005 - 12:44 PM

I encountered a problem when trying to run cwsserviceremove. I unzipped it and then clicked on the icon it installed 'cwsserviceremove.reg'. It then asks me, "Are you sure you want to add the information in C:\\WINDOWS\DESKTOP\CWSSER~1.REG to the registry?" I clicked yes and it says, "Cannot import C:\\WINDOWS\DESKTOP\CWSSER~1.REG: The specified file is not a registry script. You can import only registry files."

Should I go straight to running KillBox?

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:38 AM

Posted 27 November 2005 - 10:42 AM

Yes, do that....

David

#11 boop1967

boop1967
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 27 November 2005 - 07:56 PM

Here is the latest log for your review:

Logfile of HijackThis v1.99.1
Scan saved at 6:25:55 PM, on 11/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {055E8817-30B6-0373-E1F0-C963EAE63E96} - C:\WINDOWS\SYSTEM\MSRR.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab



Until next time... Thanks, Betty

#12 boop1967

boop1967
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 27 November 2005 - 09:12 PM

David,

Sorry, I felt the need to post these 2 new logs for you.

Once I restarted my computer, all seemed fine, and I had deleted all the suspicious entries in hijack this and removed them from Windows.

But, when I tried to go to Internet Explorer, my home page was still hijacked to about blank.

I ran hijack this at that moment and found more crap which I removed, restarted into safe mode and back again to find it appeared to be clean again. But lo and behold, if I try to go to Internet Explorer, it is still hijacked.

Here is what the log looks like after I attempt to go into Internet Explorer:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:21 PM, on 11/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ADSGONE\ADSGONE.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qgqdb.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qgqdb.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qgqdb.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qgqdb.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qgqdb.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qgqdb.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qgqdb.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {055E8817-30B6-0373-E1F0-C963EAE63E96} - C:\WINDOWS\SYSTEM\MSRR.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab



At this point, it seemed fairly obvious what to delete since I had seen what the earlier log had looked like. I deleted all entries which included qgqdb.dll and the one which included about:blank.

Here is what the last log looked like:

Logfile of HijackThis v1.99.1
Scan saved at 7:43:34 PM, on 11/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ADSGONE\ADSGONE.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {055E8817-30B6-0373-E1F0-C963EAE63E96} - C:\WINDOWS\SYSTEM\MSRR.DLL
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-18.cab


Thanks again... Betty

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:38 AM

Posted 29 November 2005 - 01:24 PM

Right now I am using someone else's laptop because I can't get online with my computer. Sometimes it even freezes during startup. I can't get on there to successfully download anything. Once in a while it lets me, and of course the home page is hijacked. Then it may or may not let me proceed to other sites. It usually freezes up before I can do anything at all.


You origninally said this, but can you now download programs?

david

#14 boop1967

boop1967
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 29 November 2005 - 02:44 PM

No, you told me to try to copy programs to a disk to use on my computer, which I did. I am sorry if I wasn't clear that I was following your instructions in that manner... Betty

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:38 AM

Posted 29 November 2005 - 02:50 PM

Hmm, i need you to do all this agan in one big go as at the moment it isn't working :thumbsup: You may have some of the programs already:

My name is David Posted Image

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was

It may look like a lot below - follow the instructions as carefully as possible and everything should be kool!
________________________________________________

Download CWShredder Here to its own folder.
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click here to download AboutBuster created by Rubber Ducky
Unzip AboutBuster to the desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit".

Click here to download cwsserviceremove.zip : http://castlecops.com/zx/flrman1/cwsserviceremove.zip
Unzip it to your desktop and have it ready to run later.

Download CleanUp!
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK

    DO NOT run it yet!
Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.

Make sure that you can see hidden files (Windows XP).
  • Click "Start".
  • Click "My Computer".
  • Select the "Tools" menu and click "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading, select "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Click "Yes" to confirm.
  • Uncheck the "Hide file extensions for known file types".
  • Click "OK".

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find

Network Security Service

Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry.......Answer yes when asked to have it's contents added to the registry

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Then go to Start > Run and type [b]%temp%[/b] in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Next run AboutBuster. Double click Aboutbuster.exe, click OK, click Start then click OK. This will scan your computer for the bad files and delete them.

Now, run CWShredder. Just click on the cwshredder.exe then click Fix (Not Scan only) and let it do its thing.

Now run cleanup!
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.
Click Here to do a Panda online scan
  • If it asks you install active x controls click Yes
  • if a box comes up telling you to install the program also click Yes
  • Make sure you tick Disinfect automatically under Scan Options
  • complete the scan and post the log that you can save afterwards in the same way you did the HJT log.
  • It is normal for it to take a reasonable time to complete
Please download hoster from the link below.
http://www.funkytoad.com/download/hoster.zip
  • Unzip Hoster.zip
  • Open Hoster.exe
  • Then click on "Restore Original Hosts"
  • Close program when complete.
  • Empty Recycle Bin
  • Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given
If you have Spybot S&D installed you will also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html
Download SDHelper.dll
Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

Reboot and post another HijackThis log please.

Davod




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users