Jump to content


Photo

"Search for..." Hijacker


  • This topic is locked This topic is locked
13 replies to this topic

#1 krizz

krizz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 June 2004 - 08:34 AM

Please, how do I get rid off this site that pop-up every time I do start the internet explorer? However the default homepage is blank, but everytime get this stupied site to see. Please, finf my log file.... I really appreciate your answer.

Logfile of HijackThis v1.97.7
Scan saved at 15:34:28, on 25.06.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\WINNT\dhbrwsr.exe
D:\WINNT\TimeSynchronize.exe
D:\WINNT\system32\qvqkbw.exe
D:\WINNT\system32\DeltTray.exe
D:\WINNT\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Winamp\Winamp.exe
D:\Program Files\VVSN\VVSN.exe
D:\WINNT\explorer.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {ECB733C4-A4CB-43E0-9908-24FDA9E58E25} - D:\WINNT\system32\flo.dll

#2 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 08:54 AM

Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#3 krizz

krizz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 June 2004 - 09:27 AM

But the site still pop up... also there is still some other window which says my computer (I.P.) is infected with Spy- and Hijackersoftware and I need to remove this... when I click on it link me to a site with downlaod stuff (exe) spy-remover or something. However they might be fake.

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is FAT32.
D: is not dirty.

Fr 25.06.2004
4:22pm up 0 days, 0:31
»»»»»»»»»»»»»»»»»»***Attention!***»»»»»»»»»»»»»»»»
Files listed in this section (in System32) are not always definitive!
Always Double Check and be sure the file pointed doesn't exist!

»»Locked or 'Suspect' file(s) found...


D:\WINNT\System32\WINEI.DLL +++ File read error
\\?\D:\WINNT\System32\WINEI.DLL +++ File read error
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»Special 'locked' files scan in 'System32'........
**File D:\FINDnFIX\LIST.TXT
WINEI.DLL Can't Open!

****Filtering files in System32... (-h -s -r...) ***
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

D:\WINNT\SYSTEM32\
winei.dll Fri 25 Jun 2004 12:27:22 ....R 57.344 56,00 K
mfc71.dll Mon 5 Apr 2004 10:31:00 A...R 1.060.864 1,01 M
msvcp71.dll Mon 5 Apr 2004 10:31:02 A...R 499.712 488,00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 1.617.920 bytes 1,54 M

D:\WINNT\SYSTEM32\
ln32k.dll Thu 15 Apr 2004 13:27:42 A..H. 16 0,02 K

1 item found: 1 file, 0 directories.
Total of file sizes: 16 bytes 0,02 K

Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\WINNT\SYSTEM32\LN32K.DLL
Sniffed -> D:\WINNT\SYSTEM32\WINEI.DLL
Sniffed -> D:\WINNT\SYSTEM32\MFC71.DLL
Sniffed -> D:\WINNT\SYSTEM32\MSVCP71.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group KRIZZ\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
User is a member of group \LOCAL.

»»Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "D:\junkxxx"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone



»»»»»»Backups created...»»»»»»
4:22pm up 0 days, 0:31
Fr 25.06.2004

A D:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-25-2004 winback.hiv
A D:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-25-2004 winkey.reg

»»Performing 16bit string scan....

---------- WIN.TXT
AppInit_DLLs
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
DeviceNotSelectedTimeout
GDIProcessHandleQuota
Spooler
swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota

**File D:\FINDnFIX\WIN.TXT
        ą’’’Š 8 € ° ą  @ Ų’’’vk 8 ų   AppInit_DLLs Ą’’’D : \ W I N N T \ s y s t e m 3 2 \ w i n e i . d l l 0 0 Š’’’vk  h   DeviceNotSelectedTimeoutč’’’1 5  `å °å čå Š’’’vk  €'   GDIProcessHandleQuota ą’’’vk  Š   Spooler š’’’y e s ą’’’vk  €   swapdiskŠ’’’vk  0   TransmissionRetryTimeoutš’’’9 0  `č Š’’’vk  €'   USERProcessHandleQuota ? ’’’’

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 10:32 AM

Well done!
Your bad file is positively identified on all counts!
This will take couple or more steps to fix.
Be sure to Follow the next set of steps carefully, in
the exact order specified:


-Open the FINDnFIX\Keys1 Subfolder!
- Locate the "MOVEit.bat" file, Right-Click on it,
select->edit:
The file will open as empty text file.
-Copy and paste the entire hilited line in the following quote box
(all one line) into that blank 'MOVEit' file:

move %WinDir%\System32\WINEI.DLL %SystemDrive%\junkxxx\WINEI.DLL


-Save the file and close.

*Get ready to restart your computer:
-In the same folder, DoubleClick on the "FIX.bat" file.
You will be prompted by popup -Alert to restart in 15 seconds.
-Allow it to restart the computer!

-On restart, Navigate to:
C:\FINDnFIX\ main folder:
-DoubleClick on the "RESTORE.bat" file.

It'll run and produce new log. (log1.txt) post it here!

P.S
Don't click or download anything from these popups!
All *bogus scare tactics!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 krizz

krizz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 June 2004 - 10:56 AM

Mhm, the site sill pop-up...
-----------------------------------------------


Fr 25.06.2004
5:53pm up 0 days, 0:04

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is FAT32.
D: is not dirty.

*Locked files...
\\?\D:\WINNT\System32\WINEI.DLL +++ File read error

»»»Filtering files in System32.......( 'R;H;S') »»»
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

D:\WINNT\SYSTEM32\
winei.dll Fri 25 Jun 2004 12:27:22 ....R 57.344 56,00 K
mfc71.dll Mon 5 Apr 2004 10:31:00 A...R 1.060.864 1,01 M
msvcp71.dll Mon 5 Apr 2004 10:31:02 A...R 499.712 488,00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 1.617.920 bytes 1,54 M

D:\WINNT\SYSTEM32\
ln32k.dll Thu 15 Apr 2004 13:27:42 A..H. 16 0,02 K

1 item found: 1 file, 0 directories.
Total of file sizes: 16 bytes 0,02 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\WINNT\SYSTEM32\LN32K.DLL
Sniffed -> D:\WINNT\SYSTEM32\WINEI.DLL
Sniffed -> D:\WINNT\SYSTEM32\MFC71.DLL
Sniffed -> D:\WINNT\SYSTEM32\MSVCP71.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match
Disk/Path/File Access Error:

Run Time(sec) 0

move %WinDir%\System32\WINEI.DLL %SystemDrive%\junkxxx\WINEI.DLL

ERROR! Cannot change to directory: D:\junkxxx


»»Permissions:
*** unknown file or directory "D:\junkxxx\*.*"

»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
AppInit_DLLs

---------- NEWWIN.TXT
AppInit_DLLsndleQuota
**File D:\FINDnFIX\NEWWIN.TXT
       
**File D:\FINDnFIX\NEWWIN.TXT
00001328: 01 00 00 00 01 00 46 00 . 5F 44 4C 4C 73 6E 64 6C ......F. _DLLsndl
**File D:\FINDnFIX\NEWWIN.TXT
        ą’’’Ų  P €   ą  Š’’’vk     DeviceNotSelectedTimeoutč’’’1 5  `å °å čå Š’’’vk  €'   GDIProcessHandleQuota ą’’’vk  p   Spooler š’’’y e s ą’’’vk  €   swapdiskŠ’’’vk  Š   TransmissionRetryTimeoutš’’’9 0  `č Š’’’vk  €'   USERProcessHandleQuota Š’’’vk 8 @   F AppInit_DLLsndleQuota a Ą’’’D : \ W I N N T \ s y s t e m 3 2 \ w i n e i . d l l € ’’’’

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 11:29 AM

***EDIT:***

Just noticed this on your log:
move %WinDir%\System32\WINEI.DLL %SystemDrive%\junkxxx\WINEI.DLL

ERROR! Cannot change to directory: D:\junkxxx :oops:


=================================
Try these steps, instead:

DoubleClick on the "FIX.BAT" file in the
C:\FINDnFIX\Keys1\ Subfolder.

Allow it to restart your computer!

On restart, go to C:\
And check whether a folder named "junkxxx" exists.
Looks like it was there before but gone..

If doesn't exist, create new folder and rename it: junkxxx
(if there already, ignore)
Go to System32 folder, find the "winei.dll" file
and move it to the C:\junkxxx folder.

Re-run the RESTORE.bat file and post new log!

P.S
You have a special case and this will take a while...
If the next step won't produce the results we'll try something else...

Edited by freeatlast, 25 June 2004 - 11:32 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 11:40 AM

Mhm, the site sill pop-up...
-----------------------------------------------


*Locked files...
\\?\D:\WINNT\System32\WINEI.DLL +++ File read error

»»»Filtering files in System32.......( 'R;H;S') »»»


D:\WINNT\SYSTEM32\
  ln32k.dll    Thu 15 Apr 2004  13:27:42  A..H.            16    0,02 K

1 item found:  1 file, 0 directories.
  Total of file sizes:  16 bytes      0,02 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed ->  :alarm: D:\WINNT\SYSTEM32\LN32K.DLL
Sniffed -> D:\WINNT\SYSTEM32\WINEI.DLL

.........AND you have a virus:

Details:
http://securityrespo...hllw.theug.html

Multiple infections are likely to cause conflicts!
Find that file-LN32K.DLL in System32 folder and try deleting it in Safe mode!
*Note:
The file has hidden attributes!
Be sure all hidden/protected files are set as visible in folder options/view!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 krizz

krizz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 June 2004 - 12:16 PM

I deleted the virus. also I moved the winei.dll to that junkxxx folder I had been opened on drive D. But the hijacker site keeps poping-up.
---------------------------------------------------------------------------


Fr 25.06.2004
7:12pm up 0 days, 0:04

Microsoft Windows 2000 [Version 5.00.2195]
The type of the file system is FAT32.
D: is not dirty.

*Locked files...
* result\\?\D:\junkxxx\WINEI.DLL

»»»Filtering files in System32.......( 'R;H;S') »»»
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

D:\WINNT\SYSTEM32\
mfc71.dll Mon 5 Apr 2004 10:31:00 A...R 1.060.864 1,01 M
msvcp71.dll Mon 5 Apr 2004 10:31:02 A...R 499.712 488,00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 1.560.576 bytes 1,49 M

No matches found.
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\WINNT\SYSTEM32\MFC71.DLL
Sniffed -> D:\WINNT\SYSTEM32\MSVCP71.DLL
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

D:\JUNKXXX\
winei.dll Fri 25 Jun 2004 12:27:22 A...R 57.344 56,00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57.344 bytes 56,00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> D:\JUNKXXX\WINEI.DLL


Search text: ŻSTREAMINGDEVICESETUP2Ž ®CASE Insensitive Match
Searching ==>D:\JUNKXXX\WINEI.DLL
Run Time(sec) 0
**File D:\JUNKXXX\WINEI.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....ą.

move %WinDir%\System32\WINEI.DLL %SystemDrive%\junkxxx\WINEI.DLL

-ra-- W32i - - - - 57,344 06-25-2004 winei.dll
A R D:\junkxxx\winei.dll
File: <D:\junkxxx\winei.dll>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




»»Permissions:
D:\junkxxx\winei.dll
Directory "D:\junkxxx\."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

Directory "D:\junkxxx\.."
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone

File "D:\junkxxx\winei.dll"
Permissions:
NA

Auditing:
NA

Owner: \Everyone

Primary Group: \Everyone


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
AppInit_DLLs

---------- NEWWIN.TXT
AppInit_DLLs
**File D:\FINDnFIX\NEWWIN.TXT
       
**File D:\FINDnFIX\NEWWIN.TXT
00001328: 01 00 00 00 01 00 00 00 . 5F 44 4C 4C 73 00 00 00 ........ _DLLs...
**File D:\FINDnFIX\NEWWIN.TXT
        ą’’’Ų  P €   ą  Š’’’vk     DeviceNotSelectedTimeoutč’’’1 5  `å °å čå Š’’’vk  €'   GDIProcessHandleQuota ą’’’vk  p   Spooler š’’’y e s ą’’’vk  €   swapdiskŠ’’’vk  Š   TransmissionRetryTimeoutš’’’9 0  `č Š’’’vk  €'   USERProcessHandleQuota Ų’’’vk  €   AppInit_DLLs Č ’’’’

#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 12:25 PM

Patience ;)

:thumbsup: Great progress! :thumbsup: this time!

Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, Delete and entire 'FINDnFIX' file+folder(s)
From C:\


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular, CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! :)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 krizz

krizz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 June 2004 - 12:44 PM

"Cannot delete jajmlbaa.temp..... the source file maybe in use..."
What does it mean? However the junksite has been finaly appeard :D

#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 12:48 PM

It's only a tmp file created by my tools and still inuse-- :D
Restart your computer,

-delete the D:\FINDnFIX< folder including it's contents!

Edited by freeatlast, 25 June 2004 - 12:49 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 krizz

krizz

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 June 2004 - 01:09 PM

Yeah... you did a great job! Thank's a lot for your help, and have a nice weekend. :weee:
------------------------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 20:02:25, on 25.06.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINNT\system32\wuauclt.exe
D:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87E46E04-7386-444C-9715-A51F6E867D5C}: NameServer = 212.122.137.24 62.26.136.136

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 25 June 2004 - 01:12 PM

Just 'snip' the single 'R1-Blank' on hijackthis log!

Stay out of trouble ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 June 2004 - 11:52 AM

Glad we could help :D



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button