njustice
-
Content Count
51 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by njustice
-
-
If you still need someone give me a PM.
-
Awesome Jeff
-
Liz you are welcome, now moving this topic into the Hijackthis logs resolved forum.
Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
-
HI Liz, I would recommend you change all passwords you use, other than that....
CNGRATULATINS! at last, your system is clean and free of spyware! Want to keep it that way?
Here are some simple steps you can take to reduce the chance of infection in the future. Please do these steps as soon as possible if you haven't already.
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp
2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.
3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
d. Bugoff: http://www.majorgeeks.com/download4308.html
4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewarrior.com/rogue_anti-spyware,htm
5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick
6. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. See the links below:
a. ZoneAlarm
b. Kerio
7. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore.
a. Turn off system restore by right clicking on "My Computer" and go to "Properties"->"System Restore" and check the box for "Turn off System Restore". Click "Apply" and then "OK". Restart your computer. Reverse these steps and turn "System Restore" back on and create a new restore point.
8. Use GoogleToolbar - It's free, blocks popups and takes seconds to install. Use the toolbar without the advanced features enabled(check this during install), the toolbar is completely inert--it doesn't send any information to Google whatsoever as you surf.
9. RegScrubXP 3.25 - Safely cleans junk out of the Windows. 2000/XP system registry. All changes made to the registry are fully restorable to it's original condition.
10. Online Virus Scans - Run these on a regular basis(I usually do about once a month or suspect a problem):
a. http://www.pandasoftware.com/activescan/co...n_principal.htm
b. http://www.windowsecurity.com/trojanscan/
c. http://housecall.trendmicro.com/
d. http://www.bitdefender.com/scan/licence.php
11. Alternative Browsers - Using an alternative browser other than IE will IMMENSELY reduce the risk of infection:
a. Firefox<==my #1 choice
b. Avant
c. Opera
Good luck, and thanks for coming to our forums for help with your security and malware issues.
-
Hi Liz, here is an easier way to cleanout those files:
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr
Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove.
-
Hi Liz, your link to HijackFree won't work for me.
================
Double-click on KillBox to launch it, then click to enable Delete on Reboot. Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
C:\WINDOWS\SYSTEM32\ps1.exe
C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\blank.gif
C:\DOCUMENTS AND SETTINGS\LIZ\LOCAL SETTINGS\TEMP\motoin.exe
C:\sp.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\unstall.exe
C:\PROGRAM FILES\MySearch
C:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX
C:/WINDOWS/DOWNLOADED PROGRAM FILES/MEDIAACCX.DLL
C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\DFBJLT8E\upd208[1].exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\WONWebLauncherControl.ocx
C:\WINDOWS\Downloaded Program Files\m67m.inf
C:\WINDOWS\Downloaded Program Files\m67m.ocx
C:\WINDOWS\Downloaded Program Files\pcs_0006.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\Downloaded Program Files\popcaploader.inf
C:\WINDOWS\Downloaded Program Files\WONWebLauncherControl.ocx
C:\WINDOWS\lhzgzhbk.exe
C:\WINDOWS\Live_Sex.exe
C:\WINDOWS\system\UpdInst.exe
C:\WINDOWS\temp\upd208.exe
C:\WINDOWS\unstall.exe
==============
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"
===============
Make sure Ewido, Adaware and Spybot are updated, fix what they find rebooting inbetween each scan. Report back on how your computer is running.
-
Liz, go ahead and post the report after your done with the other scan.
-
Liz, after consulting with other experts we feel that the two files you scanned at Jotti's are in fact bad.
Double-click on KillBox to launch it, then click to enable Delete on Reboot. Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
C:\log.txt
C:\win.txt
C:\windows.txt
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\uccspecb.sys
C:\WINDOWS\ojojo.dll
Also for peace of mind please do the following online scans:
http://www.pandasoftware.com/activescan/co...n_principal.htm
http://www.windowsecurity.com/trojanscan/
Report back any files that cannot be removed.
Let me know how your computer is running.
-
Hi Liz,
I need you to go HERE and browse to the files below, one at a time then Submit for analysis. Please copy and paste the Scanner results and Status back here.
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\uccspecb.sys
-
Liz, I need you to do the following as well:
Download WinPFind.zip from HERE and extract it to your C:\ folder.
This will create a folder called WinPFind in the C:\ folder.
Disconnect from the net and stay offline until all steps are complete.
Perform these steps for each account.
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option 4 to Merge Winlogon Notify Defaults, Press enter, wait a few moments.
Then double-click WinPFind.exe inside c:\WinPFind to launch the program.
Then click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of your clipboard in your next reply.
-
Hi Liz, when your done removing the following items, can you post the exact messages your getting for the 2 'new hardware found' boxes?
Liz:
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
Rick:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
Jade:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
Skye:
You have Hijackthis running from the temporary directory it needs to be in a folder of it's own like the other accounts. I also recommend you remove weatherbug via add/remove programs since it usually comes bundled with crapware. Desktop Weather is a better alternative like Rick is using in his account.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...02/cpbrkpie.cab
After removing items please reboot your computer run Hijackthis and check if items have been removed. If any items are not removed let me know which ones and for what account(s).
-
Download Killbox here:
http://www.downloads.subratam.org/KillBox.zip
Unzip to desktop.
Double-click on KillBox to launch it, then click to enable Delete on Reboot. Please type in the following complete file path into the top box of KillBox :
C:\WINDOWS\imgurla.exe
Now, click on the little red circle button (with a white "X") and click "Yes" to delete and then "Yes" to "Reboot now".
If it doesn't reboot on its own, then you reboot the computer yourself. Once restarted, Run HiJackThis and click "Scan", then post new logs from all accounts on your computer.
-
Hi Liz, if possible then yes I would like to see the log...thanks Njustice!
-
Liz....did you run l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter on hubby's account? If not, please do so and tell me which account is setup as Administrator/Owner.
Also....do the following under Admin/Owner account:
Download rkfiles.zip and unzip it to its own permanent folder.
Important! Reboot in SAFE MODE !!
Start in Safe Mode Using the F8 method:
- Restart the computer in Safe Mode.
- As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
- Use the arrow keys to select the Safe Mode menu item.
- Press the Enter key.
Locate the rkfiles.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.
Post the contents of C:\log.txt back here and I will review it when it comes in.
- Restart the computer in Safe Mode.
-
CsrLiz344,
-
You may wish to print out a copy of these instructions to follow while you complete this procedure.
===============
Go to Add/Remove programs and remove(uninstall) the following, if present:
Viewpoint Toolbar
===============
Go to www.trendmicro.com, if your using Firefox or Netscape go to be.trendmicro-europe.com and then:
1. Click "Free Online Scan".
2. Click "Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:
1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".
When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix. If you encounter problems during this step, please move on to the next step.
==============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAcc...e/bridge-c8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":
folders...
C:\Program Files\Viewpoint
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".
===============
Reboot your computer.
Post back a new log, report any problems and let me know how everything goes.
IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!
-
~Njustice~
-
Close any programs you have open since this step requires a reboot.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
-
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
-
culinfi,
===============
Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's:
1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders:
fpapli.exe*
2) Then if any are found in the 'prefetch' folder, delete them.
Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it.
===============
Next, Open a command prompt by:
1. Clicking "Start", then "Run...".
2. Enter "cmd" (without the quotes).
3. Enter "services.msc" (without the quotes).
-
Now, locate and 'stop' the following services, if present:
Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) owner ... (C:\WINNT\system32\addvq32.exe)
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
===============
Run HiJackThis then:
1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINNT\system32\addvq32.exe
C:\WINNT\system32\fpapli.exe
C:\WINNT\system32\addfy.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u netra.dll
regsvr32 /u ntgw.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5F15F26C-81EE-4FFA-8B9A-39913016CD37} - C:\WINNT\system32\netra.dll
O2 - BHO: (no name) - {D287B913-740E-605C-9967-D4EEFBA2E464} - C:\WINNT\system32\ntgw.dll
O4 - HKLM\..\Run: [addfy.exe] C:\WINNT\system32\addfy.exe
O4 - HKLM\..\Run: [sdkpn.exe] C:\WINNT\system32\sdkpn.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\addvq32.exe
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":
folders...
C:\Program Files\NZSearch
files...
C:\WINNT\system32\addvq32.exe
C:\WINNT\system32\fpapli.exe
C:\WINNT\system32\addfy.exe
C:\WINNT\system32\netra.dll
C:\WINNT\system32\ntgw.dll
C:\WINNT\system32\sdkpn.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".
===============
Reboot your computer.
===============
Go to www.trendmicro.com, and then:
1. Click "Free Online Scan".
2. Click "Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:
1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".
When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.
Post back a new log, report any problems and let me know how everything goes.
IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!
-
~Njustice~
-
culinfl,
Hello! and welcome to our forums.
===============
Go to add/remove programs and uninstall AWS..aka Weatherbug. We'll get you a safer alternative when were done cleaning up your computer.
===============
Go to www.trendmicro.com, and then:
1. Click "Free Online Scan".
2. Click "Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:
1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".
When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.
===============
We'll need to download these program(s) to help us deal with the "About:Blank" infection:
-
Download, unzip to your desktop CWShredder and run it, then:
1. Click "Check For Update"
(If an update isn't available, skip to step #4.)
2. Click "Click here to Download the update".
3. When the new version has been downloaded, click "Save".
4. Exit the program.
-
Download, unzip to your desktop About:Buster and run it, then:
1. Click "Update".
2. Click "Check For Update"
(If no new version is available, skip to step #4.)
3. Click "Download Update", and wait for it to be installed.
4. Exit the program.
===============
Reboot your computer into "Safe Mode"
===============
Next, locate CWShredder that you downloaded earlier and run it, then:
1. Click "Fix ->"
===============
Next, locate About:Buster that you downloaded earlier and run it, then:
1. Click "Start".
(Wait for the initial ADS scan to complete.)
2. Click "Yes", to shutdown any IE session currently open.
(Wait for the about:blank scan to complete.)
3. Click "Ok", to scan once more.
4. Click "Yes", to shutdown any IE sessions currently open.
5. Click "Yes", to begin the second pass.
6. Click "Save log", and post this log back along with your new log.
7. Click "Exit".
8. Click "Exit".
===============
Reboot your computer normally.
===============
Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.
Also move the "Backups" folder, for HiJackThis, if present.
===============
Go to Start->Run and type "Services.msc" (without quotes) then hit OK
Scroll down and find the service called.
Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I)
Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\gqkrs.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {402791F6-FBDB-0DE4-9CCF-B2B6F4AD32B2} - C:\WINNT\iplq.dll
O4 - HKLM\..\Run: [winsn.exe] C:\WINNT\system32\winsn.exe
O4 - HKLM\..\RunOnce: [syssg32.exe] C:\WINNT\system32\syssg32.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15b531c1828480...ip/RdxIE601.cab
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winwg32.exe (file missing)
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":
folders...
C:\PROGRAM FILES\AWS
files...
C:\WINNT\system32\winsn.exe
C:\WINNT\system32\syssg32.exe
C:\WINNT\system32\gqkrs.dll
C:\WINNT\iplq.dll
C:\WINNT\system32\winwg32.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".
===============
Reboot your computer.
Post back a new log, report any problems and let me know how everything goes.
IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!
-
~Njustice~
-
-------------------------------------------------------------------------
Hello,
Please download this self extracting file to your My Downloads folder or My Received Files (dependent on your Operating System):
http://www.merijn.org/files/hijackthis_sfx.exe
Click the "Save" button.
Navigate to My Documents>Chose My Downloads or My Received Files folder once inside that folder click "Save".
Now go to the folder you saved HijackThis_sfx.exe in.
Double click HijackThis_sfx.exe and select Unzip. When done click "OK".
Close the WinZip self Extractor window.
Navigate to C:\Program Files\HijackThis and double click HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and paste Ctrl-V its contents here [Add Reply].
Most of what it lists will be harmless or even essential, don't fix anything yet.
-------------------------------------------------------------------------
Created and submitted by Njustice.
-
[A] One....Two....Three....CRUNCH!......it takes three licks to get to the center of a Tootsie Pop!
Paper or Plastic?
-
-B is used to restart your computer after files have been reorganized.
-
I don't see it....
By the way I have IconWorkshop 5.0 if you need my services.
-
Along with a² free....
-------------------------------------------------------------------------
Run these two free online scans allowing them to fix or delete anything they locate, please note any item they could not remove and the location, post this information in your next thread.
http://www.pandasoftware.com/activescan/co...n_principal.htm
http://www.windowsecurity.com/trojanscan/
-------------------------------------------------------------------------
Ignore List Error (as Notified By Spyware Doctor)
in Malware Removal
Posted
Hi there, and welcome to the forums!
Disable Spyware Doctor:
Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
Once your log is clean you can re-enable Spyware Doctor.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customi...arch.yahoo.com/
O4 - Startup: MP3 Rocket (silent).lnk = C:\Program Files\MP3 Rocket\MP3Rocket_on_startup.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZJxdm027YYGB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
Click on Fix Checked when finished and exit HijackThis.
Next download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
[*]Under "Reports"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Once the scan is complete do the following: