LineOFire
-
Content Count
13 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by LineOFire
-
-
Do you have dial-up or broadband?
-
Your log shows that you didn't disable TeaTimer. I urge you to please do it until I give you the all clear.
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
- Open Spybot Search & Destroy.
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident".
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
- In the File menu click "Exit" to exit Spybot Search & Destroy.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O2 - BHO: (no name) - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [fmdqn] C:\WINDOWS\fmdqn.exe
O4 - HKLM\..\Run: [buxxg.exe] C:\WINDOWS\TEMP\BUXXG.EXE
O4 - HKLM\..\Run: [0t.exe] C:\WINDOWS\TEMP\0T.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
Reconfigure Windows 98 to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Folder Options. Select the View tab.
In the Hidden files section select "Show all files".
Uncheck the box next to "Hide file extensions for known file types".
Click Apply, and then click OK.
Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
Please delete these folders using Windows Explorer(if present):
c:\program files\180solutions
C:\WINDOWS\TEMP
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\fmdqn.exe
Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan.
- Open Spybot Search & Destroy.
-
Looks clean now. Great job!
Are you having anymore problems?
-
Your log looks clean now. Congratulations!
Are you having anymore problems?
-
Hello and welcome to the BestTechie Forums. We hope you enjoy your stay here!
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
Your log shows that you are running HijackThis from your desktop.
You need to move HijackThis to a permanent directory so that backups will not be scattered on your desktop.
- Double-click the My Computer icon on the desktop.
- Click Local Disk C:.
- File | New | Folder
- A new folder called New Folder will be created.
- Rename New Folder to HJT or HijackThis.
- Put the HijackThis.exe on your desktop in the folder you just renamed.
- NOTE: If you want a shortcut on your desktop, just right-click on HijackThis.exe and select Send To > Desktop (create shortcut).
- To rename the shortcut right-click on it and click Rename. Type the name you want and press Enter.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [WinLoader] wqxqpyooli.exe
O4 - HKLM\..\RunServices: [RunDLL32] C:\WINDOWS\system32\ngbqmns.exe
Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\system32\ngbqmns.exe
C:\WINDOWS\System32\wqxqpyooli.exe
Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan.
- Double-click the My Computer icon on the desktop.
-
Hello and welcome to the BestTechie Forums. We hope you enjoy your stay here!
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [kernelll] C:\WINDOWS\system32\kernelll.pif
O4 - HKLM\..\RunOnce: [kernelll] C:\WINDOWS\system32\kernelll.pif /RunOnce
O16 - DPF: {6AEFE48C-FB6C-4C27-A161-A0BF3438537E} (Live(5.2) Control) - http://24.17.204.12:88/cab/Live.cab
- Download the Pocket Killbox.
- Unzip the contents of KillBox.zip to a convenient location.
- Double-click on KillBox.exe.
- Click "Standard File Kill" and check the "End Explorer Shell While Killing File" box.
- Paste this file into the top "Full Path of File to Delete" box.
- C:\WINDOWS\system32\kernelll.pif
[*]Click the "Delete File" button which looks like a stop sign.
[*]Click "Yes" at the Confirm Delete prompt.
[*]Your desktop and icons should disappear for a few seconds.
[*]Click "OK" at the Delete was successful prompt.
- C:\WINDOWS\system32\kernelll.pif
Then restart and post a new HijackThis log. Also report the status of regedit and task manager.
- Download the Pocket Killbox.
-
Post a new HijackThis log then and we will go from there.
-
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
- Open Spybot Search & Destroy.
- In the Mode menu click "Advanced mode" if not already selected.
- Choose "Yes" at the Warning prompt.
- Expand the "Tools" menu.
- Click "Resident".
- Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
- In the File menu click "Exit" to exit Spybot Search & Destroy.
Now fix these entries in HijackThis:
O2 - BHO: (no name) - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
Download the attached .inf file and unzip it to your desktop.
http://www.mvps.org/winhelp2002/DelDomains.inf
Right-click on the deldomains.inf file and select 'Install'
Then restart and post a new HIjackThis log.
- Open Spybot Search & Destroy.
-
Hmmm...not quite gone yet.
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\eaqls.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {54255AC2-2B7F-9119-713D-1BFBB01E8BCD} - C:\WINDOWS\NETHY.DLL (file missing)
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll (disabled by BHODemon)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)
O4 - HKLM\..\Run: [4040.TMP.EXE] C:\WINDOWS\TEMP\4040.TMP.EXE 4 10001
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [fmdqn] C:\WINDOWS\fmdqn.exe
O4 - HKLM\..\Run: [buxxg.exe] C:\WINDOWS\TEMP\BUXXG.EXE
O4 - HKLM\..\Run: [0t.exe] C:\WINDOWS\TEMP\0T.EXE
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e36a2c573b15...ip/RdxIE601.cab
Reconfigure Windows 98 to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Folder Options. Select the View tab.
In the Hidden files section select "Show all files".
Uncheck the box next to "Hide file extensions for known file types".
Click Apply, and then click OK.
Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
Please delete these folders using Windows Explorer(if present):
c:\program files\180solutions
C:\WINDOWS\TEMP
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\fmdqn.exe
Now you can restart the computer normally.
Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan.
-
Hello and welcome to Best Techie Forums. I hope you enjoy your stay here!
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.
- Prepare CWShredder for use:
- Download CWShredder.
- Save CWShredder.exe to a convenient location.
- Please do not do anything with it yet.
- Download CWShredder.
[*]Prepare AboutBuster for use:
- Download AboutBuster.
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update".
- You should not run the program yet so click "Exit".
Reconfigure Windows 98 to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Folder Options. Select the View tab.
In the Hidden files section select "Show all files".
Uncheck the box next to "Hide file extensions for known file types".
Click Apply, and then click OK.
Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.
- Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".
- Double-click on CWShredder.exe.
[*]Run AboutBuster and save the logs:
- Browse to where you saved AboutBuster and run AboutBuster.exe.
- Click OK at the directions prompt.
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I need a copy of it.
[*]Clean out temporary files:
- Start | Run | type cleanmgr | OK
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Click "OK" to remove them.
- Click "Yes" to confirm the deletion.
[*]Restart your computer normally to return to normal mode.
[*]Free TrendMicro Housecall scan:
- Vist the TrendMicro Housecall website.
- Select your country from the drop-down list and click "Go".
- Choose "Yes" at the ActiveX Security Warning prompt.
- Please wait while the Housecall engine is updated.
- Select the drives to be scanned by placing a check in their respective boxes.
- Check the "Auto Clean" box.
- Click "SCAN" in order to begin scanning your system.
- Please be patient while Housecall scans your system for malicious files.
- If not auto-cleaned, remove anything it finds.
- Click "Close" to exit the Housecall scanner.
- Choose "Yes" at the HouseCall message prompt.
[*]Prepare your reply:
- Please post a fresh HijackThis log
- Please post the AboutBuster log.
- Please note any complications you had.
- Prepare CWShredder for use:
Spyware
in Malware Removal
Posted
Doesn't look like a malware problem to me anymore.
Would you mind starting a topic in Windows Support?