therock247uk
-
Content Count
960 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by therock247uk
-
-
Your log is clean
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
- Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
- How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
- IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
Credit to PGPhantom for canned speech.
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
-
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adb.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
2. Then post a new Hijackthis log here in a reply.
-
1. Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.
New.Net
2. Then post a new Hijackthis log here in a reply.
-
Please print these instructions out for use in Safe Mode.
Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to extract the files
- This will create a VundoFix folder on your desktop.
- After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
- Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
- You will first be presented with a warning and a list of forums to seek help at.
it should look like thisVundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
http://www.besttechie.net/forums/ - At this point press enter one time.
- Next you will see:Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix. - At this point please type the following file path (make sure to enter it exactly as below!):
- C:\WINDOWS\System32\gebyy.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
Please type in the second filepath as instructed by the forum staffThen Press Enter, Then F6, Then Enter Again to continue with the fix.
[*]At this point please type the following file path (make sure to enter it exactly as below!):
- C:\WINDOWS\System32\yybeg.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HiJackThis, please place a check next to the following items and click FIX CHECKED:
- R3 - Default URLSearchHook is missing
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\gebyy.dll
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
- C:\WINDOWS\System32\gebyy.dll
Download and install CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
- Double-click VundoFix.exe to extract the files
-
Closing topic now and moving this topic into HijackThis Logs (Resolved).
-
Your log is clean
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
- Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
- How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
- IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
Credit to PGPhantom for canned speech.
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
-
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nmaajhhaqxotuhasdfcvi.net/hmU9c...u_UhIaBAbM.html
2. Then post a new Hijackthis log here in a reply.
-
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.nz/help/0,,4155-1916458,00.html
2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.
3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dkwtjzykpzgxleqyjemqaq.com/hmU9...ib2KqdjJ2K.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nmaajhhaqxotuhasdfcvi.net/hmU9c...u_UhIaBAbM.html
O4 - HKLM\..\Run: [second One Defy Bolt] C:\Documents and Settings\All Users\Application Data\BODY FLAP SECOND ONE\hold inter.exe
O4 - HKCU\..\Run: [curb proxy] C:\DOCUME~1\WINDOW~1\APPLIC~1\BLEHGR~1\fast download.exe
4. Delete the folders. (if present)
C:\Documents and Settings\All Users\Application Data\BODY FLAP SECOND ONE\
C:\Documents and Settings\WINDOW~1\Application Data\BLEHGR~1\ < Folder starts with BLEHGR
5. Reboot and post a new Hijackthis log here in a reply.
-
1. Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.
Viewpoint Toolbar
Viewpoint Manager
2. Then post a new Hijackthis log here in a reply.
-
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
2. Then post a new Hijackthis log here in a reply.
-
Your log is clean
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
- Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
- How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
- IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
Credit to PGPhantom for canned speech.
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
-
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
2. Then post a new Hijackthis log here in a reply.
-
Can you post the Hijackthis log here in a reply. Not attach
-
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.
You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.
Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here
Save all of these files somewhere you will remember like to the Desktop.
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)
Run the CleanUp! installer. You dont need to do anything with it right now.
Update About:Buster
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update" then click the X to close that window.
- Now close About:Buster
Update CWShredder
- Open CWShredder and click I AGREE
- Click Check For Update
- Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please run about:buster by RubbeRDuckY:
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
- Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.
Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.
Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
Good Luck
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
-
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.nz/help/0,,4155-1916458,00.html
2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.
3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
O4 - HKCU\..\Run: [DirectX shell driver] C:\WINDOWS\sammp32.exe
4. Delete the files. (if present)
C:\WINDOWS\sammp32.exe
5. Reboot and post a new Hijackthis log here in a reply.
-
Uninstall your current version of Ewido as I dont know if its up to date.
Please download ewido security suite it is a trial version of the program.
- Install ewido security suite
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.
Open Ewido again
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- While the scan is in progress you will be prompted to clean files, click OK
- When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.
- Install ewido security suite
-
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.nz/help/0,,4155-1916458,00.html
2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.
3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vpuzs.dll/sp.html#70964
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vpuzs.dll/sp.html#70964
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vpuzs.dll/sp.html#70964
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vpuzs.dll/sp.html#70964
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vpuzs.dll/sp.html#70964
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vpuzs.dll/sp.html#70964
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vpuzs.dll/sp.html#70964
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {B4B127D9-941C-DF50-6E09-19E9881B830A} - C:\WINDOWS\system32\wintq32.dll
O4 - HKLM\..\Run: [iEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [sysdm32.exe] C:\WINDOWS\sysdm32.exe
4. Delete the files. (if present)
C:\WINDOWS\vpuzs.dll
C:\WINDOWS\system32\wintq32.dll
C:\WINDOWS\sysdm32.exe
5. Reboot and post a new Hijackthis log here in a reply.
-
Your log is clean
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
- Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
- How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
- IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
Credit to PGPhantom for canned speech.
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
-
1. Go to Start > Settings > Add/Remove and uninstall the following.
Viewpoint Manager
2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
3. Delete the files. (if present)
C:\WINDOWS\system32\nnltz.dll
4.
Download about:buster by RubbeRDuckY Here.
Save the file somewhere you will remember like to the Desktop.
Please run about:buster by RubbeRDuckY:
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update" then click the X to close that window.
- Boot into safemode again
- Open About:buster again
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
5. Reboot back into normal mode and download http://osc.geekstogo.com/cwsserviceremove.reg run it it will ask to merge into the registery say yes.
6. Download and run http://cwshredder.net/bin/CWShredder.exe click fix.
7. Then post the about:buster log and a new Hijackthis log here in a reply.
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
-
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.nz/help/0,,4155-1916458,00.html
2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.
3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nnltz.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DECE7F32-C7E7-28BF-BF37-5DA16FD8856B} - C:\WINDOWS\system32\addxl.dll
O4 - HKLM\..\Run: [iedx.exe] C:\WINDOWS\system32\iedx.exe
O4 - HKLM\..\RunOnce: [javakx32.exe] C:\WINDOWS\system32\javakx32.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\mfcyt32.exe (file missing)
4. Delete the files. (if present)
C:\WINDOWS\system32\nnltz.dll
C:\WINDOWS\system32\addxl.dll
C:\WINDOWS\system32\iedx.exe
C:\WINDOWS\system32\javakx32.exe
C:\WINDOWS\system32\mfcyt32.exe
5. Reboot and post a new Hijackthis log here in a reply.
-
How is the PC running?
Your log is clean
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
- Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
- How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
- IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
Credit to PGPhantom for canned speech.
- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
-
Your Hijackthis log is clean
1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
O4 - HKLM\..\Run: [iEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
The file that is causing you a problem is this line in Hijackthis you can fix it if you wish and try opening it when needed look here for infomation on it http://castlecops.com/startuplist-3543.html
O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
2. Reboot your PC and see if you still have a problem.
-
1. Boot into safemode again.
2. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\82F4C060.hta
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O13 - WWW. Prefix: http://
3. Delete the files. (if present)
C:\WINDOWS\SYSTEM\82F4C060.hta
4. Reboot and post a new Hijackthis log here in a reply.
-
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.nz/help/0,,4155-1916458,00.html
2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.
3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xzhki.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xzhki.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xzhki.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xzhki.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xzhki.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xzhki.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xzhki.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {24F7A19B-E91E-3E36-E139-91C802FC2B0F} - C:\WINDOWS\APIZN32.DLL
O2 - BHO: Class - {ADE15B25-99D9-47AB-3E33-9B2A8D282369} - C:\WINDOWS\SYSTEM\MFCPP32.DLL
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\82F4C060.hta
O4 - HKLM\..\Run: [WINMJ32.EXE] C:\WINDOWS\WINMJ32.EXE
O4 - HKLM\..\RunServices: [JAVABN32.EXE] C:\WINDOWS\SYSTEM\JAVABN32.EXE /s
O4 - HKLM\..\RunServices: [APINA.EXE] C:\WINDOWS\SYSTEM\APINA.EXE /s
O4 - HKLM\..\RunServices: [NETKR32.EXE] C:\WINDOWS\NETKR32.EXE /s
O4 - HKLM\..\RunServices: [ATLDF.EXE] C:\WINDOWS\ATLDF.EXE /s
O4 - HKLM\..\RunServices: [sDKLK.EXE] C:\WINDOWS\SDKLK.EXE /s
O4 - HKLM\..\RunServices: [NETNC32.EXE] C:\WINDOWS\SYSTEM\NETNC32.EXE /s
O4 - HKLM\..\RunServices: [iPNN.EXE] C:\WINDOWS\IPNN.EXE /s
O4 - HKLM\..\RunServices: [APIIW32.EXE] C:\WINDOWS\SYSTEM\APIIW32.EXE /s
O4 - HKLM\..\RunServices: [iPDD32.EXE] C:\WINDOWS\IPDD32.EXE /s
O4 - HKLM\..\RunServices: [MSDA.EXE] C:\WINDOWS\MSDA.EXE /s
O4 - HKLM\..\RunServices: [sDKPW.EXE] C:\WINDOWS\SYSTEM\SDKPW.EXE /s
O4 - HKLM\..\RunServices: [iPZF32.EXE] C:\WINDOWS\IPZF32.EXE /s
O4 - HKLM\..\RunServices: [JAVARD.EXE] C:\WINDOWS\JAVARD.EXE /s
O4 - HKLM\..\RunServices: [NTNR.EXE] C:\WINDOWS\NTNR.EXE /s
O4 - HKLM\..\RunServices: [NTQA32.EXE] C:\WINDOWS\NTQA32.EXE /s
O4 - HKLM\..\RunServices: [NETMV.EXE] C:\WINDOWS\SYSTEM\NETMV.EXE /s
O4 - HKLM\..\RunServices: [MFCKO32.EXE] C:\WINDOWS\SYSTEM\MFCKO32.EXE /s
O4 - HKLM\..\RunServices: [ADDSB32.EXE] C:\WINDOWS\SYSTEM\ADDSB32.EXE /s
O4 - HKLM\..\RunServices: [D3TF32.EXE] C:\WINDOWS\D3TF32.EXE /s
O4 - HKLM\..\RunServices: [MSSH.EXE] C:\WINDOWS\SYSTEM\MSSH.EXE /s
O4 - HKLM\..\RunServices: [NTZY32.EXE] C:\WINDOWS\SYSTEM\NTZY32.EXE /s
O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE /s
O4 - HKLM\..\RunServices: [MSOC32.EXE] C:\WINDOWS\MSOC32.EXE /s
O4 - HKLM\..\RunServices: [NTPU32.EXE] C:\WINDOWS\NTPU32.EXE /s
O4 - HKLM\..\RunServices: [iEGJ32.EXE] C:\WINDOWS\IEGJ32.EXE /s
O4 - HKLM\..\RunServices: [sYSPG32.EXE] C:\WINDOWS\SYSPG32.EXE /s
O4 - HKLM\..\RunServices: [sYSMP.EXE] C:\WINDOWS\SYSTEM\SYSMP.EXE /s
O4 - HKLM\..\RunServices: [MSCT.EXE] C:\WINDOWS\SYSTEM\MSCT.EXE /s
O4 - HKLM\..\RunServices: [APPNP32.EXE] C:\WINDOWS\APPNP32.EXE /s
O4 - HKLM\..\RunServices: [APPPU.EXE] C:\WINDOWS\APPPU.EXE /s
O4 - HKLM\..\RunServices: [ADDMR32.EXE] C:\WINDOWS\SYSTEM\ADDMR32.EXE /s
O4 - HKLM\..\RunServices: [WINRM.EXE] C:\WINDOWS\SYSTEM\WINRM.EXE /s
O4 - HKLM\..\RunServices: [iERL.EXE] C:\WINDOWS\IERL.EXE /s
O4 - HKLM\..\RunServices: [ADDCL32.EXE] C:\WINDOWS\SYSTEM\ADDCL32.EXE /s
O4 - HKLM\..\RunServices: [MSHV.EXE] C:\WINDOWS\SYSTEM\MSHV.EXE /s
O4 - HKLM\..\RunServices: [WINSU.EXE] C:\WINDOWS\SYSTEM\WINSU.EXE /s
O4 - HKLM\..\RunServices: [JAVAUJ.EXE] C:\WINDOWS\JAVAUJ.EXE /s
O4 - HKLM\..\RunServices: [ATLUK32.EXE] C:\WINDOWS\ATLUK32.EXE /s
O4 - HKLM\..\RunServices: [NTFJ.EXE] C:\WINDOWS\NTFJ.EXE /s
O4 - HKLM\..\RunServices: [NETMT32.EXE] C:\WINDOWS\NETMT32.EXE /s
O4 - HKLM\..\RunServices: [MSQY32.EXE] C:\WINDOWS\MSQY32.EXE /s
O4 - HKLM\..\RunServices: [APIRI32.EXE] C:\WINDOWS\APIRI32.EXE /s
O4 - HKLM\..\RunServices: [NTEF.EXE] C:\WINDOWS\SYSTEM\NTEF.EXE /s
O4 - HKLM\..\RunServices: [sYSSO.EXE] C:\WINDOWS\SYSTEM\SYSSO.EXE /s
O4 - HKLM\..\RunServices: [NTRW.EXE] C:\WINDOWS\SYSTEM\NTRW.EXE /s
O4 - HKLM\..\RunServices: [MSSY32.EXE] C:\WINDOWS\SYSTEM\MSSY32.EXE /s
O4 - HKLM\..\RunServices: [sDKHK.EXE] C:\WINDOWS\SDKHK.EXE /s
O4 - HKLM\..\RunServices: [NTCN.EXE] C:\WINDOWS\SYSTEM\NTCN.EXE /s
O4 - HKLM\..\RunServices: [iPYC.EXE] C:\WINDOWS\IPYC.EXE /s
O4 - HKLM\..\RunServices: [iPAX.EXE] C:\WINDOWS\IPAX.EXE /s
O4 - HKLM\..\RunServices: [iELM32.EXE] C:\WINDOWS\IELM32.EXE /s
O4 - HKLM\..\RunServices: [APPDV32.EXE] C:\WINDOWS\SYSTEM\APPDV32.EXE /s
O4 - HKLM\..\RunServices: [NTIF.EXE] C:\WINDOWS\NTIF.EXE /s
O4 - HKLM\..\RunServices: [ADDMQ32.EXE] C:\WINDOWS\SYSTEM\ADDMQ32.EXE /s
O4 - HKLM\..\RunServices: [iPXX.EXE] C:\WINDOWS\IPXX.EXE /s
O4 - HKLM\..\RunServices: [NETMZ32.EXE] C:\WINDOWS\SYSTEM\NETMZ32.EXE /s
O4 - HKLM\..\RunServices: [ATLAF32.EXE] C:\WINDOWS\SYSTEM\ATLAF32.EXE /s
O4 - HKLM\..\RunServices: [CRWA32.EXE] C:\WINDOWS\CRWA32.EXE /s
O4 - HKLM\..\RunServices: [CRCG.EXE] C:\WINDOWS\CRCG.EXE /s
O4 - HKLM\..\RunServices: [sDKBX.EXE] C:\WINDOWS\SDKBX.EXE /s
O4 - HKLM\..\RunServices: [D3QQ32.EXE] C:\WINDOWS\SYSTEM\D3QQ32.EXE /s
O4 - HKLM\..\RunServices: [WINGQ32.EXE] C:\WINDOWS\SYSTEM\WINGQ32.EXE /s
O4 - HKLM\..\RunServices: [NETXC32.EXE] C:\WINDOWS\NETXC32.EXE /s
O4 - HKLM\..\RunServices: [MSXQ32.EXE] C:\WINDOWS\MSXQ32.EXE /s
O4 - HKLM\..\RunServices: [iPBN32.EXE] C:\WINDOWS\IPBN32.EXE /s
O4 - HKLM\..\RunServices: [sDKKI32.EXE] C:\WINDOWS\SDKKI32.EXE /s
O4 - HKLM\..\RunServices: [JAVAHV.EXE] C:\WINDOWS\JAVAHV.EXE /s
O4 - HKLM\..\RunServices: [MSQE.EXE] C:\WINDOWS\MSQE.EXE /s
O4 - HKLM\..\RunServices: [ATLFM.EXE] C:\WINDOWS\SYSTEM\ATLFM.EXE /s
O4 - HKLM\..\RunServices: [iEBL.EXE] C:\WINDOWS\IEBL.EXE /s
O4 - HKLM\..\RunServices: [sDKGJ.EXE] C:\WINDOWS\SDKGJ.EXE /s
O4 - HKLM\..\RunServices: [iEQI32.EXE] C:\WINDOWS\SYSTEM\IEQI32.EXE /s
O4 - HKLM\..\RunServices: [iPXO.EXE] C:\WINDOWS\SYSTEM\IPXO.EXE /s
O4 - HKLM\..\RunServices: [CRYE.EXE] C:\WINDOWS\CRYE.EXE /s
O4 - HKLM\..\RunServices: [sYSLZ32.EXE] C:\WINDOWS\SYSLZ32.EXE /s
O4 - HKLM\..\RunServices: [JAVAJT.EXE] C:\WINDOWS\JAVAJT.EXE /s
O4 - HKLM\..\RunServices: [MSXO32.EXE] C:\WINDOWS\MSXO32.EXE /s < there many be more like that fix them also
4. Delete the files.
C:\WINDOWS\xzhki.dll
C:\WINDOWS\APIZN32.DLL
C:\WINDOWS\SYSTEM\MFCPP32.DLL
C:\WINDOWS\SYSTEM\82F4C060.hta
C:\WINDOWS\WINMJ32.EXE
C:\WINDOWS\SYSTEM\JAVABN32.EXE
C:\WINDOWS\SYSTEM\APINA.EXE
C:\WINDOWS\NETKR32.EXE
C:\WINDOWS\ATLDF.EXE
C:\WINDOWS\SDKLK.EXE
C:\WINDOWS\SYSTEM\NETNC32.EXE
C:\WINDOWS\IPNN.EXE
C:\WINDOWS\SYSTEM\APIIW32.EXE
C:\WINDOWS\IPDD32.EXE
C:\WINDOWS\MSDA.EXE
C:\WINDOWS\SYSTEM\SDKPW.EXE
C:\WINDOWS\IPZF32.EXE
C:\WINDOWS\JAVARD.EXE
C:\WINDOWS\NTNR.EXE
C:\WINDOWS\NTQA32.EXE
C:\WINDOWS\SYSTEM\NETMV.EXE
C:\WINDOWS\SYSTEM\MFCKO32.EXE
C:\WINDOWS\SYSTEM\ADDSB32.EXE
C:\WINDOWS\D3TF32.EXE
C:\WINDOWS\SYSTEM\MSSH.EXE
C:\WINDOWS\SYSTEM\NTZY32.EXE
C:\WINDOWS\SYSTEM\APPBH32.EXE
C:\WINDOWS\MSOC32.EXE
C:\WINDOWS\NTPU32.EXE
C:\WINDOWS\IEGJ32.EXE
C:\WINDOWS\SYSPG32.EXE
C:\WINDOWS\SYSTEM\SYSMP.EXE
C:\WINDOWS\SYSTEM\MSCT.EXE
C:\WINDOWS\APPNP32.EXE
C:\WINDOWS\APPPU.EXE
C:\WINDOWS\SYSTEM\ADDMR32.EXE
C:\WINDOWS\SYSTEM\WINRM.EXE
C:\WINDOWS\IERL.EXE
C:\WINDOWS\SYSTEM\ADDCL32.EXE
C:\WINDOWS\SYSTEM\MSHV.EXE
C:\WINDOWS\SYSTEM\WINSU.EXE
C:\WINDOWS\JAVAUJ.EXE
C:\WINDOWS\ATLUK32.EXE
C:\WINDOWS\NTFJ.EXE
C:\WINDOWS\NETMT32.EXE
C:\WINDOWS\MSQY32.EXE
C:\WINDOWS\APIRI32.EXE
C:\WINDOWS\SYSTEM\NTEF.EXE
C:\WINDOWS\SYSTEM\SYSSO.EXE
C:\WINDOWS\SYSTEM\NTRW.EXE
C:\WINDOWS\SYSTEM\MSSY32.EXE
C:\WINDOWS\SDKHK.EXE
C:\WINDOWS\SYSTEM\NTCN.EXE
C:\WINDOWS\IPYC.EXE
C:\WINDOWS\IPAX.EXE
C:\WINDOWS\IELM32.EXE
C:\WINDOWS\SYSTEM\APPDV32.EXE
C:\WINDOWS\NTIF.EXE
C:\WINDOWS\SYSTEM\ADDMQ32.EXE
C:\WINDOWS\IPXX.EXE
C:\WINDOWS\SYSTEM\NETMZ32.EXE
C:\WINDOWS\SYSTEM\ATLAF32.EXE
C:\WINDOWS\CRWA32.EXE
C:\WINDOWS\CRCG.EXE
C:\WINDOWS\SDKBX.EXE
C:\WINDOWS\SYSTEM\D3QQ32.EXE
C:\WINDOWS\SYSTEM\WINGQ32.EXE
C:\WINDOWS\NETXC32.EXE
C:\WINDOWS\MSXQ32.EXE
C:\WINDOWS\IPBN32.EXE
C:\WINDOWS\SDKKI32.EXE
C:\WINDOWS\JAVAHV.EXE
C:\WINDOWS\MSQE.EXE
C:\WINDOWS\SYSTEM\ATLFM.EXE
C:\WINDOWS\IEBL.EXE
C:\WINDOWS\SDKGJ.EXE
C:\WINDOWS\SYSTEM\IEQI32.EXE
C:\WINDOWS\SYSTEM\IPXO.EXE
C:\WINDOWS\CRYE.EXE
C:\WINDOWS\SYSLZ32.EXE
C:\WINDOWS\JAVAJT.EXE
C:\WINDOWS\MSXO32.EXE
5. Reboot back into normal mode and post a new Hijackthis log here in a reply.
Hjt Log
in Malware Removal
Posted
Please print these instructions out for use in Safe Mode.
Please download VundoFix.exe to your desktop.
it should look like this
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
[*]At this point please type the following file path (make sure to enter it exactly as below!):
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HiJackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vtsqq.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: vtsqq - C:\WINDOWS\system32\vtsqq.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Download and install CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Click OK
Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.