Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware almost gone


  • This topic is locked This topic is locked
58 replies to this topic

#1 mrjeff

mrjeff

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 09 June 2004 - 10:09 PM

The spyware is almost all cleared out but I still have some that Spybot & Adaware
will not remove. Please help! Here is the last log:
Jeff

Edited by mrjeff, 09 June 2004 - 10:45 PM.


BC AdBot (Login to Remove)

 


#2 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 09 June 2004 - 10:47 PM

Logfile of HijackThis v1.97.7
Scan saved at 10:09:28 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\EarthLink 5.0\conmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BQTray.exe
C:\Program Files\CasinoOnline\CsRemnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\XEROX\Pagis\Monitor.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JEFF HUDSON\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {0ABBE6B4-9EF2-453A-9E92-45EFD96EA464} - c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp310\a0031482.dll (file missing)
O2 - BHO: (no name) - {1BC96F17-BABB-4CEA-B65C-B96BB86F0290} - c:\windows\system32\klkeh.dll (file missing)
O2 - BHO: (no name) - {3D280B8D-DCEA-4D5F-AB9F-2BD78CEC9B69} - c:\windows\system32\ace.dll (file missing)
O2 - BHO: (no name) - {507F506E-000F-43D6-91DE-3ADD4F10F587} - c:\windows\system32\jhjj.dll (file missing)
O2 - BHO: (no name) - {5C7229BC-C5C3-4BD7-A443-C9F0E518A7A1} - c:\windows\system32\ilmjkpe.dll (file missing)
O2 - BHO: (no name) - {62C7583B-CB5E-4795-9BFD-41FE36D0C814} - c:\windows\system32\ipk.dll (file missing)
O2 - BHO: (no name) - {65BA9CD6-622D-4ACF-B009-1E1403B83FA9} - c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp323\a0032785.dll (file missing)
O2 - BHO: (no name) - {708C8800-6D3C-4812-AD8F-DB0376398767} - c:\windows\system32\ncni.dll (file missing)
O2 - BHO: (no name) - {736F6D7D-4E78-4DA6-9552-6E4ADFD81D52} - c:\recycler\s-1-5-21-4031280076-1170651086-2577737020-1008\dc35.dll (file missing)
O2 - BHO: (no name) - {74BB8F7D-0E79-41DC-8FF7-15CC5A9830D0} - c:\windows\system32\gndb.dll (file missing)
O2 - BHO: (no name) - {776678F4-E60B-4880-BC65-CF5309CBCCB1} - c:\windows\system32\kcakhi.dll (file missing)
O2 - BHO: (no name) - {8F773694-FB7D-4447-8ECA-8858959225FD} - c:\windows\system32\lbiclbc.dll (file missing)
O2 - BHO: (no name) - {957B10BF-144E-4AE4-8F83-D45097944DD8} - c:\windows\system32\keomkaf.dll (file missing)
O2 - BHO: (no name) - {9F5D7120-3941-4A60-8A76-EE9D4804F736} - c:\windows\system32\dgp.dll (file missing)
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O2 - BHO: (no name) - {B273AA64-63B0-4213-A863-5076C4992C5F} - c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp310\a0031457.dll (file missing)
O2 - BHO: (no name) - {E1FA73BE-1D61-44B2-9DCF-50F092ADD6F4} - C:\WINDOWS\System32\hinppda.dll
O2 - BHO: (no name) - {EFBAAA01-75B4-4431-94F5-00BCA402632F} - c:\windows\system32\ljgal.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Pagis Scheduler.lnk = C:\Program Files\XEROX\Pagis\Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1084752507937
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7947.6338888889
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,715 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 09 June 2004 - 11:59 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please put a checkmark in the box for each of these entries, close all other windows, and click the fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hinppda.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {0ABBE6B4-9EF2-453A-9E92-45EFD96EA464} - c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp310\a0031482.dll (file missing)
O2 - BHO: (no name) - {1BC96F17-BABB-4CEA-B65C-B96BB86F0290} - c:\windows\system32\klkeh.dll (file missing)
O2 - BHO: (no name) - {3D280B8D-DCEA-4D5F-AB9F-2BD78CEC9B69} - c:\windows\system32\ace.dll (file missing)
O2 - BHO: (no name) - {507F506E-000F-43D6-91DE-3ADD4F10F587} - c:\windows\system32\jhjj.dll (file missing)
O2 - BHO: (no name) - {5C7229BC-C5C3-4BD7-A443-C9F0E518A7A1} - c:\windows\system32\ilmjkpe.dll (file missing)
O2 - BHO: (no name) - {62C7583B-CB5E-4795-9BFD-41FE36D0C814} - c:\windows\system32\ipk.dll (file missing)
O2 - BHO: (no name) - {65BA9CD6-622D-4ACF-B009-1E1403B83FA9} - c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp323\a0032785.dll (file missing)
O2 - BHO: (no name) - {708C8800-6D3C-4812-AD8F-DB0376398767} - c:\windows\system32\ncni.dll (file missing)
O2 - BHO: (no name) - {736F6D7D-4E78-4DA6-9552-6E4ADFD81D52} - c:\recycler\s-1-5-21-4031280076-1170651086-2577737020-1008\dc35.dll (file missing)
O2 - BHO: (no name) - {74BB8F7D-0E79-41DC-8FF7-15CC5A9830D0} - c:\windows\system32\gndb.dll (file missing)
O2 - BHO: (no name) - {776678F4-E60B-4880-BC65-CF5309CBCCB1} - c:\windows\system32\kcakhi.dll (file missing)
O2 - BHO: (no name) - {8F773694-FB7D-4447-8ECA-8858959225FD} - c:\windows\system32\lbiclbc.dll (file missing)
O2 - BHO: (no name) - {957B10BF-144E-4AE4-8F83-D45097944DD8} - c:\windows\system32\keomkaf.dll (file missing)
O2 - BHO: (no name) - {9F5D7120-3941-4A60-8A76-EE9D4804F736} - c:\windows\system32\dgp.dll (file missing)
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O2 - BHO: (no name) - {B273AA64-63B0-4213-A863-5076C4992C5F} - c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\rp310\a0031457.dll (file missing)
O2 - BHO: (no name) - {E1FA73BE-1D61-44B2-9DCF-50F092ADD6F4} - C:\WINDOWS\System32\hinppda.dll
O2 - BHO: (no name) - {EFBAAA01-75B4-4431-94F5-00BCA402632F} - c:\windows\system32\ljgal.dll (file missing)
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Reboot your computer into Safe Mode.

Then delete these files or directories
C:\PROGRA~1\Toolbar\
C:\WINDOWS\System32\hinppda.dll
C:\Program Files\CasinoOnline\
C:\WINDOWS\svchost.exe
c:\windows\system\image.dll or c:\windows\system32\image.dll
c:\freescan\

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot into normal mode:

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

or

http://209.133.47.200/~merijn/index.html

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder

Then reboot into normal mode aagain and post a new log

#4 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 10 June 2004 - 08:16 PM

My pc was connected with the internet earlier today. Do I need to run the spybot and ad-aware again. Also, I have been running cwshredder first then spy and adaware. Do need to wait until after the HJT.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,715 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 10 June 2004 - 10:59 PM

Post another hijackthis log and lets see what we have left after the last fix. We can see if anything else snuck back in as well.

#6 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 10 June 2004 - 11:34 PM

Thank You for the response. I'll need some instructions on how to find the files & directories you said to delete. I rebooted in safe mode but cannot find them.
Here is the log:

Attached Files


Edited by mrjeff, 11 June 2004 - 12:03 AM.


#7 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 10 June 2004 - 11:39 PM

Here is the log:

Attached Files


Edited by mrjeff, 11 June 2004 - 12:05 AM.


#8 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 11 June 2004 - 12:09 AM

Sorry I'm having trouble attaching this

Edited by mrjeff, 11 June 2004 - 12:25 AM.


#9 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 11 June 2004 - 12:21 AM

I think I got it. Its very late

Attached Files


Edited by mrjeff, 11 June 2004 - 12:23 AM.


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,715 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 11 June 2004 - 08:14 AM

To delete a file in safe mode. Boot into safe mode:

The best way to delete these files is to use windows explorer. Click on start, then run, and type explorer. Then navigate till you find the file or directory you want to delete.

For example to delete the file:

c:\windows\svchost.exe

You would open up windows explorer and click on the plus next to the following. First my computer, then c: drive, then windows. You would then click on the Windows folder in the left section to see its contents and delete the svchost.exe file from there.

Make sure you do not delete c:\windows\system32\svchost.exe as that is a valid file. We only want to delete c:\windows\svchost.exe


Please do this though in normal mode:

Step 1. Download DLLFix from:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix and double-click on start.bat

Step 5. Run Option 1 by pressing 1. The program will now start searching.

Step 6. Once the search is complete a notepad will open called output.txt. Post the contents as a reply to this post.

#11 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 11 June 2004 - 10:11 PM

All spysearch programs have been run in my acct. When I booted into safe mode the search was being run in the other acct. The hiden files were not being shown and the change was made. Should I have rebooted when this was done. Only one file was found and deleted. A file that had information about "freescan" "svchost" and "CasinoOnline " was the only one. It is <C:\WINDOWS\PCHealth\Help Ctr\Data Coll\Collected Data> Should the files be difficult to find?

I'm holding off the DLLFix download until I know this step is correct.
Thanks for you patience!

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,715 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:15 PM

Posted 12 June 2004 - 12:27 PM

Do not delete the files from here:

C:\WINDOWS\PCHealth\Help Ctr\Data Coll\Collected Data

Only delete the specific files that I list.

You will not always find the files listed in hijackthis. Sometimes the entries are leftovers from a previous removal or hijackthis deletes the file.

Please continue with the dllfix step.

#13 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 12 June 2004 - 02:52 PM

Here are the results of the dillfix

Attached Files



#14 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 12 June 2004 - 03:02 PM

Here is the dllfix.
If this cannot be opened I need some help. I'm missing a step somewhere in the posting.

Attached Files



#15 mrjeff

mrjeff
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 12 June 2004 - 03:05 PM

Tried again

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users