LineOFire

Members
 View Profile  See their activity

  • Content Count

    13

  • Joined

  • Last visited

 Content Type 

Posts posted by LineOFire

  3. Spyware

    in Malware Removal

    Posted

    Your log shows that you didn't disable TeaTimer. I urge you to please do it until I give you the all clear.

    You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

    Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

    • Open Spybot Search & Destroy.
    • In the Mode menu click "Advanced mode" if not already selected.
    • Choose "Yes" at the Warning prompt.
    • Expand the "Tools" menu.
    • Click "Resident".
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
    • In the File menu click "Exit" to exit Spybot Search & Destroy.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O2 - BHO: (no name) - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - (no file)

    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

    O2 - BHO: (no name) - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

    O4 - HKLM\..\Run: [fmdqn] C:\WINDOWS\fmdqn.exe

    O4 - HKLM\..\Run: [buxxg.exe] C:\WINDOWS\TEMP\BUXXG.EXE

    O4 - HKLM\..\Run: [0t.exe] C:\WINDOWS\TEMP\0T.EXE

    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)

    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -

    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

    Reconfigure Windows 98 to show hidden files:

    Double-click the My Computer icon on the Windows desktop.

    Click the View menu, and then click Folder Options. Select the View tab.

    In the Hidden files section select "Show all files".

    Uncheck the box next to "Hide file extensions for known file types".

    Click Apply, and then click OK.

    Boot into Safe Mode:

    Restart your computer and immediately begin tapping the F8 key on your keyboard.

    If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    To return to normal mode just restart your computer as you normally would.

    Please delete these folders using Windows Explorer(if present):

    c:\program files\180solutions

    C:\WINDOWS\TEMP

    Please delete these files using Windows Explorer(if present):

    C:\WINDOWS\fmdqn.exe

    Now you can restart the computer normally.

    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)

  6. Pup's Log

    in Malware Removal

    Posted

    Hello and welcome to the BestTechie Forums. We hope you enjoy your stay here! :)

    You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    Your log shows that you are running HijackThis from your desktop.

    You need to move HijackThis to a permanent directory so that backups will not be scattered on your desktop.

    • Double-click the My Computer icon on the desktop.
    • Click Local Disk C:.
    • File | New | Folder
    • A new folder called New Folder will be created.
    • Rename New Folder to HJT or HijackThis.
    • Put the HijackThis.exe on your desktop in the folder you just renamed.
    • NOTE: If you want a shortcut on your desktop, just right-click on HijackThis.exe and select Send To > Desktop (create shortcut).
    • To rename the shortcut right-click on it and click Rename. Type the name you want and press Enter.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\RunServices: [WinLoader] wqxqpyooli.exe

    O4 - HKLM\..\RunServices: [RunDLL32] C:\WINDOWS\system32\ngbqmns.exe

    Reconfigure Windows XP to show hidden files:

    Click Start. Open My Computer.

    Select the Tools menu and click Folder Options. Select the View Tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".

    Uncheck the "Hide protected operating system files (recommended)" option.

    Uncheck the "Hide file extensions for known file types" option.

    Click Yes to confirm. Click OK.

    Boot into Safe Mode:

    Restart your computer and immediately begin tapping the F8 key on your keyboard.

    If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    To return to normal mode just restart your computer as you normally would.

    Please delete these files using Windows Explorer(if present):

    C:\WINDOWS\system32\ngbqmns.exe

    C:\WINDOWS\System32\wqxqpyooli.exe

    Now you can restart the computer normally.

    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)

  7. Geek's Log

    in Malware Removal

    Posted · Edited by LineOFire

    Hello and welcome to the BestTechie Forums. We hope you enjoy your stay here! :)

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

    O4 - HKLM\..\Run: [kernelll] C:\WINDOWS\system32\kernelll.pif

    O4 - HKLM\..\RunOnce: [kernelll] C:\WINDOWS\system32\kernelll.pif /RunOnce

    O16 - DPF: {6AEFE48C-FB6C-4C27-A161-A0BF3438537E} (Live(5.2) Control) - http://24.17.204.12:88/cab/Live.cab

    • Download the Pocket Killbox.
    • Unzip the contents of KillBox.zip to a convenient location.
    • Double-click on KillBox.exe.
    • Click "Standard File Kill" and check the "End Explorer Shell While Killing File" box.
    • Paste this file into the top "Full Path of File to Delete" box.
      • C:\WINDOWS\system32\kernelll.pif

      [*]Click the "Delete File" button which looks like a stop sign.

      [*]Click "Yes" at the Confirm Delete prompt.

      [*]Your desktop and icons should disappear for a few seconds.

      [*]Click "OK" at the Delete was successful prompt.

    Then restart and post a new HijackThis log. Also report the status of regedit and task manager. B)

  9. Spyware

    in Malware Removal

    Posted

    While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

    Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

    • Open Spybot Search & Destroy.
    • In the Mode menu click "Advanced mode" if not already selected.
    • Choose "Yes" at the Warning prompt.
    • Expand the "Tools" menu.
    • Click "Resident".
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
    • In the File menu click "Exit" to exit Spybot Search & Destroy.

    Now fix these entries in HijackThis:

    O2 - BHO: (no name) - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - (no file)

    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

    O2 - BHO: (no name) - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

    O15 - Trusted Zone: *.frame.crazywinnings.com

    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

    O15 - Trusted IP range: 206.161.125.149

    O15 - Trusted IP range: (HKLM)

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -

    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

    Download the attached .inf file and unzip it to your desktop.

    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right-click on the deldomains.inf file and select 'Install'

    Then restart and post a new HIjackThis log.

  10. Spyware

    in Malware Removal

    Posted

    Hmmm...not quite gone yet. <_<

    You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eaqls.dll/sp.html#12345

    R3 - Default URLSearchHook is missing

    O2 - BHO: Class - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - C:\WINDOWS\NETHY.DLL (file missing)

    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll (disabled by BHODemon)

    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

    O2 - BHO: (no name) - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

    O4 - HKLM\..\Run: [4040.TMP.EXE] C:\WINDOWS\TEMP\4040.TMP.EXE 4 10001

    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

    O4 - HKLM\..\Run: [fmdqn] C:\WINDOWS\fmdqn.exe

    O4 - HKLM\..\Run: [buxxg.exe] C:\WINDOWS\TEMP\BUXXG.EXE

    O4 - HKLM\..\Run: [0t.exe] C:\WINDOWS\TEMP\0T.EXE

    O15 - Trusted Zone: *.awmdabest.com

    O15 - Trusted Zone: *.frame.crazywinnings.com

    O15 - Trusted Zone: *.awmdabest.com (HKLM)

    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

    O15 - Trusted IP range: 206.161.125.149

    O15 - Trusted IP range: (HKLM)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e36a2c573b15...ip/RdxIE601.cab

    Reconfigure Windows 98 to show hidden files:

    Double-click the My Computer icon on the Windows desktop.

    Click the View menu, and then click Folder Options. Select the View tab.

    In the Hidden files section select "Show all files".

    Uncheck the box next to "Hide file extensions for known file types".

    Click Apply, and then click OK.

    Boot into Safe Mode:

    Restart your computer and immediately begin tapping the F8 key on your keyboard.

    If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    To return to normal mode just restart your computer as you normally would.

    Please delete these folders using Windows Explorer(if present):

    c:\program files\180solutions

    C:\WINDOWS\TEMP

    Please delete these files using Windows Explorer(if present):

    C:\WINDOWS\fmdqn.exe

    Now you can restart the computer normally.

    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)

  11. Spyware

    in Malware Removal

    Posted

    Hello and welcome to Best Techie Forums. I hope you enjoy your stay here! :D

    You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    1. Prepare CWShredder for use:
      • Download CWShredder.
      • Save CWShredder.exe to a convenient location.
      • Please do not do anything with it yet.

    [*]Prepare AboutBuster for use:

    • Download AboutBuster.
    • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
    • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
    • Click "OK" at the prompt with instructions.
    • Click "Update" and then "Check For Update" to begin the update process.
    • If any updates exist please download them by clicking "Download Update".
    • You should not run the program yet so click "Exit".

    Reconfigure Windows 98 to show hidden files:

    Double-click the My Computer icon on the Windows desktop.

    Click the View menu, and then click Folder Options. Select the View tab.

    In the Hidden files section select "Show all files".

    Uncheck the box next to "Hide file extensions for known file types".

    Click Apply, and then click OK.

    Boot into Safe Mode:

    Restart your computer and immediately begin tapping the F8 key on your keyboard.

    If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    To return to normal mode just restart your computer as you normally would.

    1. Run CWShredder:
      • Double-click on CWShredder.exe.
      • Click "Fix ->" and click "OK" at the prompt.
      • CWShredder will scan and clean your system of CWS files.
      • Click "Next->" and then "Exit".

    [*]Run AboutBuster and save the logs:

    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.

    [*]Clean out temporary files:

    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Click "OK" to remove them.
    • Click "Yes" to confirm the deletion.

    [*]Restart your computer normally to return to normal mode.

    [*]Free TrendMicro Housecall scan:

    • Vist the TrendMicro Housecall website.
    • Select your country from the drop-down list and click "Go".
    • Choose "Yes" at the ActiveX Security Warning prompt.
    • Please wait while the Housecall engine is updated.
    • Select the drives to be scanned by placing a check in their respective boxes.
    • Check the "Auto Clean" box.
    • Click "SCAN" in order to begin scanning your system.
    • Please be patient while Housecall scans your system for malicious files.
    • If not auto-cleaned, remove anything it finds.
    • Click "Close" to exit the Housecall scanner.
    • Choose "Yes" at the HouseCall message prompt.

    [*]Prepare your reply:

    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.