Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Spysheriff Problems.


  • Please log in to reply
7 replies to this topic

#1 crillsna

crillsna

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 27 November 2005 - 10:55 AM

Hi I got infected with SpySheriff and got rid of the most of it using the instructions on some thread on this forum, but there are still a very annoying problem remaining. "Popups" seem to popup all the time. its not really popup but it changes the active browser window to a commersial page and if theres no browser active it opens the browser automaticly. very annoying problem. can anyione help?

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 PM

Posted 27 November 2005 - 12:03 PM

Hi my name is David Posted Image

Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

David

#3 crillsna

crillsna
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 27 November 2005 - 12:19 PM

hi david, thx for doing this!
ok here it is:

Logfile of HijackThis v1.99.1
Scan saved at 18:15:39, on 2005-11-27
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\Trend Micro\Internet Security\pccguide.exe
C:\Program\Trend Micro\Internet Security\PCClient.exe
C:\Program\Trend Micro\Internet Security\TMOAgent.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Winamp\winampa.exe
C:\Program\Razer\razerhid.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\INstallfiler\FreeRAM XP Pro 1.40.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\SYSTEM32\MrobeService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program\Razer\razertra.exe
C:\Program\Vanliga filer\Panda Software\PavShld\pavprsrv.exe
C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\Program\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program\Razer\razerofa.exe
C:\Program\Trend Micro\Internet Security\tmproxy.exe
C:\Program\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hedgie.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Crills\Skrivbord\wtvClient.exe
C:\Program\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lnkar
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RAMBooster] C:\Documents and Settings\Crills\Skrivbord\ramboost.exe C:\Documents and Settings\Crills\Skrivbord\
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [1sGYLVh$/E%)C:\Program\ISTsvc\istsvc.exe] C:\WINDOWS\fskxxwbr.exe
O4 - HKLM\..\Run: [razer] C:\Program\Razer\razerhid.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\INstallfiler\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [Steam] "d:\program\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Use as &Display Picture - C:\Program\IEDP2\IEDP.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source Filter) - http://www.envivio.tv/downloads/EnvivioTV/...icInstaller.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: Time Zones - C:\WINDOWS\system32\f42m0ef1eh2.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Vanliga filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\SYSTEM32\MrobeService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program\Vanliga filer\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program\Trend Micro\Internet Security\tmproxy.exe

#4 crillsna

crillsna
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 29 November 2005 - 05:34 AM

bump

#5 crillsna

crillsna
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 30 November 2005 - 02:22 PM

Is there someone that can help? Would be really helpful.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 PM

Posted 30 November 2005 - 02:26 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link for "SpySweeper" to download the program. NOTE: DO NOT click the Free Spyware Scan link.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

#7 crillsna

crillsna
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:49 AM

Posted 30 November 2005 - 05:04 PM

spysweeper log is to big to fit. it seems spysweeper killed the popups everything works fine just that my windows dont seem to be able to restore the "XP theme" anyway heres hijack::


Logfile of HijackThis v1.99.1
Scan saved at 23:00:53, on 2005-11-30
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\D-Tools\daemon.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Winamp\winampa.exe
C:\Program\Razer\razerhid.exe
C:\WINDOWS\System32\hedgie.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\INstallfiler\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\SYSTEM32\MrobeService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program\Razer\razertra.exe
C:\Program\Razer\razerofa.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\BitTornado\btdownloadgui.exe
C:\Program\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Lnkar
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RAMBooster] C:\Documents and Settings\Crills\Skrivbord\ramboost.exe C:\Documents and Settings\Crills\Skrivbord\
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [1sGYLVh$/E%)C:\Program\ISTsvc\istsvc.exe] C:\WINDOWS\fskxxwbr.exe
O4 - HKLM\..\Run: [razer] C:\Program\Razer\razerhid.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\INstallfiler\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Use as &Display Picture - C:\Program\IEDP2\IEDP.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRAM\MESSEN~1\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O20 - Winlogon Notify: msupdate - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Vanliga filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\SYSTEM32\MrobeService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program\Webroot\Spy Sweeper\WRSSSDK.exe

Edited by crillsna, 30 November 2005 - 05:08 PM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:49 PM

Posted 01 December 2005 - 01:06 PM

XP Theme fix (following the use of CleanUp!)
It appears that CleanUp! corrupts the luna.msstyles file, so that the XP Theme no longer functions. This widely used fix simply replaces the corrupt file with a new one to correct the problem. (Perchance Luna XP Theme file(s) are actually missing, add those from the download to the appropriate place.)
  • Go to Kelly's Korner:
  • Go to list item #187, and in the RHS column, click on "Restore Luna Theme" to download "Resources.zip".
  • Unzip that, (where ever you wish) and within those folders, navigate to the "luna.msstyles" (or "luna ..." whatever it may happen to be called on that machine) file only.
    Resources\Resources\Theme\Luna\luna.msstyles <<<this file
  • Right-click on the "luna ..."file (not the folder) and select "Copy" (to copy this file to the Clipboard).
  • Then, using Windows Explorer, (having first confirmed that all system and hidden files and folders are visible) navigate to
    C:\Windows\Resources\Themes\Luna\luna ... <<<this file (if it exists)
    and drag it (the "luna ..." file, not the folder) out of the way (say, onto the desktop for temporary safe-keeping).
  • Paste in the new "luna ..." file to replace the one just removed (right-click on a blank area of the "Luna" folder, and select "Paste" in the menu that pops up).
  • Double-click on it (the "luna ..." file) and hey presto! XP Theme is back!
  • Then check the setting in Control Panel to confirm that XP Theme (as opposed to Classic Theme) is selected for the future.
  • Delete the old and unwanted files/folders that will no longer be required.

Please do both of the following before we start if possible!:

1) Please print off these intructions - they will be needed later when internet access is not available.
2) Save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
At the moment you may feel like you battling with your computer to keep it running smoothly, but doing the following things should most certainly help getting it back to how it was
_____________________

Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
DO NOT run it yet.
_____________________

With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [1sGYLVh$/E%)C:\Program\ISTsvc\istsvc.exe] C:\WINDOWS\fskxxwbr.exe
O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\System32\hedgie.exe
O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\

_____________________

Boot into Safe Mode

Double-click on Killbox.exe to run it.
Now put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.
Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\fskxxwbr.exe
C:\WINDOWS\System32\hedgie.exe
C:\Program\ISTsvc\istsvc.exe

_____________________

Manually delete this folder:

C:\Program\ISTsvc
_____________________

Please Navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)
_____________________

Then go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
_____________________

Finally go to Control Panel > Internet Options. m
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.
_____________________

Empty the Recycle Bin.
_____________________

Reboot to normal mode and post a new HJT log
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users