Jump to content


Photo

ABout:Blank Hijacked with abrdvd.exe? Remove?


  • Please log in to reply
3 replies to this topic

#1 rpalmer2

rpalmer2

    Member

  • New Member
  • Pip
  • 2 posts

Posted 30 June 2004 - 08:46 AM

I've run Spy Sweeper numerous times, and Cool WWW, CWS-AboutBlank, CWS sp.html hijack, and abrdvd.exe keep returning. I ran HiJackThis, and this is my log file:

Logfile of HijackThis v1.98.0
Scan saved at 8:29:03 AM, on 6/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Win32App\SQLLIB\bin\db2jds.exe
C:\Win32App\SQLLIB\bin\db2sec.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\RoboSource Control\RoboSourceControlNetServer.exe
C:\WINNT\system32\MSTask.exe
C:\win32app\RSAKeon\system\sdlss.exe
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\PROGRA~1\IOMEGA~1\directcd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\win32app\RSAKeon\System\SDTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Win32App\IBM\IMNNQ\imnsvdem.exe
C:\Win32App\IBM\IMNNQ\HTTPDL.exe
C:\win32app\MSOffice\Office\1033\msoffice.exe
C:\WINNT\abrdvd.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dstcustomercenter
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dstcustomercenter
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dstcustomercenter
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DST Systems, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://internet-help:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://internet-help:8080
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.kctv.com/...=5540&nav=1Pua"); (C:\Program Files\Netscape\Users\rhpalmer\prefs.js)
O1 - Hosts: 198.176.184.113 xtfinancialtrans.dstsystems.net
O1 - Hosts: 198.176.184.114 xtfinancialtrans1.dstsystems.net
O1 - Hosts: 198.176.184.115 xtfinancialtranstest.dstsystems.net
O1 - Hosts: 198.176.184.116 xtfinancialtranstest1.dstsystems.net
O2 - BHO: (no name) - {0227A798-A034-4992-8A40-8D4A7A31D58E} - C:\WINNT\system32\hglkk.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RSA SDTray] "C:\win32app\RSAKeon\\System\SDTray.exe"
O4 - HKLM\..\Run: [abrdvd] C:\WINNT\abrdvd.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Drempels Desktop.lnk = C:\WINNT\drempels.exe
O4 - Startup: Lotus Notes.lnk = C:\win32app\Notes\notes.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\win32app\MSOffice\Office\OSA9.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\win32app\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\win32app\rsakeon\system\mlr.dll
O10 - Unknown file in Winsock LSP: c:\win32app\rsakeon\system\mlr.dll
O14 - IERESET.INF: START_PAGE_URL=http://dstcustomercenter
O16 - DPF: SortListControl - http://jcwg:8120/tba...listcontrol.cab
O16 - DPF: SysMgmt - http://jcwg:8100/tba...ols/sysmgmt.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://dstquickplace...ems.com/qp2.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abet...19105/flash.cab
O16 - DPF: {3181F4C5-D556-436F-ACE7-416C1AFCBB73} (DST TreeView Control) - http://jcwg:8100/tba...s/DSTTREEVW.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {38481807-CA0E-42D2-BF39-B33AF135CC4D} - http://dst-proxy1.ds.....cts/ocget.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6765706A-0000-0010-8000-00AA00389B71} - http://dst-proxy1.ds.....cts/ocget.dll
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://dst_scm_web/DimPC_C/isetup.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearc...er_Enhancer.exe
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk....ViewerSetup.cab
O16 - DPF: {CBBD92B0-CFC7-43E6-B70B-A660B6BF6FFC} (DST ListView Control) - http://jcwg:8100/tba...s/DSTLISTVW.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - http://jcwg:8100/tba...rols/msxml3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.dstsystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.dstsystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.dstsystems.com

What should I do next? Thanks in advance.

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 August 2004 - 08:15 PM

Due to the time passed ...
  • HijackThis ... (Download again as you are running an older version)
    • Double click on "My Computer" to open it.
    • Double click on the local "C-Drive" to open it.
    • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
    • Please download HijackThis from any of the following locations:
    • spywareinfo.com
    • subratam.org
    • tools.zerosrealm.com
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis, click on scan and wait for the scan to finish.
  • The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.
  • Notepad will open with a copy of the log.
    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.
  • Please post your entire log here for analysis.


#3 rpalmer2

rpalmer2

    Member

  • New Member
  • Pip
  • 2 posts

Posted 13 September 2004 - 11:38 AM

Logfile of HijackThis v1.98.2
Scan saved at 11:37:55 AM, on 9/13/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Win32App\SQLLIB\bin\db2jds.exe
C:\Win32App\SQLLIB\bin\db2sec.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\win32app\RSAKeon\system\sdlss.exe
c:\program files\microsoft enterprise instrumentation\bin\trace service\tracesessionmanager.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\sinv\sinv32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\qttask.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\PROGRA~1\IOMEGA~1\directcd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\win32app\RSAKeon\System\SDTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\win32app\MSOffice\Office\1033\msoffice.exe
C:\Win32App\IBM\IMNNQ\HTTPDL.exe
C:\win32app\Notes\NLNOTES.EXE
C:\Win32App\IBM\IMNNQ\imnsvdem.exe
C:\WINNT\system32\taskmgr.exe
C:\win32app\Notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dstcustomercenter
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dstcustomercenter
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dstcustomercenter
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DST Systems, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://internet-help:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://internet-help:8080
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.kctv.com/...=5540&nav=1Pua"); (C:\Program Files\Netscape\Users\rhpalmer\prefs.js)
O1 - Hosts: 198.176.184.113 xtfinancialtrans.dstsystems.net
O1 - Hosts: 198.176.184.114 xtfinancialtrans1.dstsystems.net
O1 - Hosts: 198.176.184.115 xtfinancialtranstest.dstsystems.net
O1 - Hosts: 198.176.184.116 xtfinancialtranstest1.dstsystems.net
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [RSA SDTray] "C:\win32app\RSAKeon\\System\SDTray.exe"
O4 - HKLM\..\Run: [abrdvd] C:\WINNT\abrdvd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RoboPDF] C:\WINNT\system32\spool\DRIVERS\W32X86\2\RPDFLchr.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Lotus Notes.lnk = C:\win32app\Notes\notes.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\win32app\MSOffice\Office\OSA9.EXE
O4 - Global Startup: Start HTML Search Server.lnk = C:\win32app\SQLLIB\bin\db2nq.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\win32app\rsakeon\system\mlr.dll
O10 - Unknown file in Winsock LSP: c:\win32app\rsakeon\system\mlr.dll
O14 - IERESET.INF: START_PAGE_URL=http://dstcustomercenter
O16 - DPF: SortListControl - http://jcwg:8120/tba...listcontrol.cab
O16 - DPF: SysMgmt - http://jcwg:8100/tba...ols/sysmgmt.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://dstquickplace...ems.com/qp2.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3181F4C5-D556-436F-ACE7-416C1AFCBB73} (DST TreeView Control) - http://jcwg:8100/tba...s/DSTTREEVW.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {38481807-CA0E-42D2-BF39-B33AF135CC4D} - http://dst-proxy1.ds.....cts/ocget.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6765706A-0000-0010-8000-00AA00389B71} - http://dst-proxy1.ds.....cts/ocget.dll
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://dst_scm_web/DimPC_C/isetup.cab
O16 - DPF: {A51DEDCD-20F7-11D4-98A5-00C0CA130748} (Tintel Class) - http://exe.dialer.tintel.nl/tcw.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk....ViewerSetup.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {CBBD92B0-CFC7-43E6-B70B-A660B6BF6FFC} (DST ListView Control) - http://jcwg:8100/tba...s/DSTLISTVW.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - http://jcwg:8100/tba...rols/msxml3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.dstsystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.dstsystems.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.dstsystems.com

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 14 September 2004 - 07:09 PM

Run Ad-Aware with the latest update.
  • Download the latest version of Ad-Aware (Ad-Aware SE Build 1.04) from here.
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol) and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
After that, please go to Microsoft Windows Update and download all critical updates for your system. This is imperative.

Once that is done, post an updated HijackThis log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button