Jump to content


Photo

Please help this is my 2nd Posting


  • Please log in to reply
3 replies to this topic

#1 Bfent

Bfent

    Member

  • New Member
  • Pip
  • 2 posts

Posted 07 July 2004 - 08:38 PM

Can someone please help with my little problem?
My log is below.

Thanks for the help.

B

Logfile of HijackThis v1.98.0
Scan saved at 9:57:40 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\atlta32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\MOTHER~1\MBM5.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\syspy32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mzeog.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mzeog.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mzeog.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mzeog.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mzeog.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mzeog.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {10FEB7E7-4A2D-6D1F-3B9F-8F9FEE32D825} - C:\WINDOWS\system32\atlvk.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [MBM 5] C:\PROGRA~1\MOTHER~1\MBM5.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [syspy32.exe] C:\WINDOWS\syspy32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunOnce: [atlta32.exe] C:\WINDOWS\atlta32.exe
O4 - HKLM\..\RunOnce: [crti32.exe] C:\WINDOWS\system32\crti32.exe
O4 - HKLM\..\RunOnce: [sysin.exe] C:\WINDOWS\sysin.exe
O4 - HKLM\..\RunOnce: [sdkjw32.exe] C:\WINDOWS\system32\sdkjw32.exe
O4 - HKLM\..\RunOnce: [atliw.exe] C:\WINDOWS\system32\atliw.exe
O4 - HKLM\..\RunOnce: [atlkq.exe] C:\WINDOWS\atlkq.exe
O4 - HKLM\..\RunOnce: [atlwj32.exe] C:\WINDOWS\system32\atlwj32.exe
O4 - HKLM\..\RunOnce: [atlxl32.exe] C:\WINDOWS\atlxl32.exe
O4 - HKLM\..\RunOnce: [javail.exe] C:\WINDOWS\system32\javail.exe
O4 - HKLM\..\RunOnce: [apikp.exe] C:\WINDOWS\system32\apikp.exe
O4 - HKLM\..\RunOnce: [iezn.exe] C:\WINDOWS\iezn.exe
O4 - HKLM\..\RunOnce: [d3kb.exe] C:\WINDOWS\system32\d3kb.exe
O4 - HKLM\..\RunOnce: [winlk.exe] C:\WINDOWS\winlk.exe
O4 - HKLM\..\RunOnce: [mfcnl32.exe] C:\WINDOWS\mfcnl32.exe
O4 - HKLM\..\RunOnce: [d3md.exe] C:\WINDOWS\d3md.exe
O4 - HKLM\..\RunOnce: [javafq.exe] C:\WINDOWS\system32\javafq.exe
O4 - HKLM\..\RunOnce: [crqf.exe] C:\WINDOWS\system32\crqf.exe
O4 - HKLM\..\RunOnce: [sysgw.exe] C:\WINDOWS\sysgw.exe
O4 - HKLM\..\RunOnce: [mscg32.exe] C:\WINDOWS\system32\mscg32.exe
O4 - HKLM\..\RunOnce: [crjs.exe] C:\WINDOWS\system32\crjs.exe
O4 - HKLM\..\RunOnce: [mfcjw32.exe] C:\WINDOWS\mfcjw32.exe
O4 - HKLM\..\RunOnce: [appqq.exe] C:\WINDOWS\appqq.exe
O4 - HKLM\..\RunOnce: [atlau.exe] C:\WINDOWS\system32\atlau.exe
O4 - HKLM\..\RunOnce: [mfciz.exe] C:\WINDOWS\mfciz.exe
O4 - HKLM\..\RunOnce: [appcz.exe] C:\WINDOWS\system32\appcz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ComcastHSI - {3AAF7F03-3742-4B03-B1F4-79A00DF1162A} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {CB769E4A-D10C-4E06-81B2-CA6E2C9E33BE} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {F7B2BF84-70CC-4E99-87F4-E0DAC32406AC} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} - http://webpdp.gator....ptdmgainads.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab

#2 Derith

Derith

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 08 July 2004 - 09:01 AM

Heya Bfent,

After looking at your Hijack This log I noticed that you are running it from your desktop. When Hijack This deletes an item it creates backups in the folder it's running from. If that folder is actually the desktop the backups get strewn all over and it's a big hassle.

To avoid that please move HijackThis.exe to a permanent folder like C:\HJT

You're infected with a nasty form of the Cool Web Search hijack as well as a few other pieces of spyware. We're going to start by removing CWS.
  • Download AboutBuster from http://www.atribune....AboutBuster.zip
  • Boot into Safe Mode - How to boot into safe mode
  • Run AboutBuster.exe and do the following.
    • Hit Ok on the first prompt, Start on the second. Then Ok to start the removal.
    • A log will start to form. After the program runs save the log in a text (notepad) file.
  • Run AboutBuster.exe again and save the log file.
Reboot back into normal mode and post the logs from AB along with a fresh Hijack This log.

#3 Bfent

Bfent

    Member

  • New Member
  • Pip
  • 2 posts

Posted 10 July 2004 - 07:10 AM

Derith,

Thanks so much for taking this on I was getting ready to format.
Below are my new logs.

Thanks again for the help.

-B

ogfile of HijackThis v1.98.0
Scan saved at 7:56:21 AM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {10FEB7E7-4A2D-6D1F-3B9F-8F9FEE32D825} - C:\WINDOWS\system32\atlvk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [MBM 5] C:\PROGRA~1\MOTHER~1\MBM5.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [syspy32.exe] C:\WINDOWS\syspy32.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} - http://webpdp.gator....ptdmgainads.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab


- Scan 1 --------
About:Buster Version 1.26
Removed! : C:\WINDOWS\aicgfj.dat
Removed! : C:\WINDOWS\appqq.exe
Removed! : C:\WINDOWS\atlkq.exe
Removed! : C:\WINDOWS\atlta32.exe
Removed! : C:\WINDOWS\atlxl32.exe
Removed! : C:\WINDOWS\avgiqn.dat
Removed! : C:\WINDOWS\bxtcjy.dat
Removed! : C:\WINDOWS\cqxlqr.dat
Removed! : C:\WINDOWS\d3md.exe
Removed! : C:\WINDOWS\dfpsqt.dat
Removed! : C:\WINDOWS\dhwnvc.dat
Removed! : C:\WINDOWS\efpbuu.dat
Removed! : C:\WINDOWS\eihgbt.dat
Removed! : C:\WINDOWS\eujicb.dat
Removed! : C:\WINDOWS\faoozt.dat
Removed! : C:\WINDOWS\hptyfl.dat
Removed! : C:\WINDOWS\hrnleb.dat
Removed! : C:\WINDOWS\iewt.exe
Removed! : C:\WINDOWS\iezn.exe
Removed! : C:\WINDOWS\ikjwhl.dat
Removed! : C:\WINDOWS\jdpqrp.dat
Removed! : C:\WINDOWS\jfcvw.dat
Removed! : C:\WINDOWS\jgnusa.dat
Removed! : C:\WINDOWS\jkdoob.dat
Removed! : C:\WINDOWS\mfciz.exe
Removed! : C:\WINDOWS\mfcjw32.exe
Removed! : C:\WINDOWS\mfcnl32.exe
Removed! : C:\WINDOWS\mobonu.dat
Removed! : C:\WINDOWS\msdo32.exe
Removed! : C:\WINDOWS\msxp32.exe
Removed! : C:\WINDOWS\nflkci.dat
Removed! : C:\WINDOWS\nhqquq.dat
Removed! : C:\WINDOWS\nmsio.dat
Removed! : C:\WINDOWS\n_gsetxt.dat
Removed! : C:\WINDOWS\n_jgnusa.dat
Removed! : C:\WINDOWS\n_nhqquq.dat
Removed! : C:\WINDOWS\oneoak.dat
Removed! : C:\WINDOWS\oqbnnh.dat
Removed! : C:\WINDOWS\pfknfq.dat
Removed! : C:\WINDOWS\qcrzkr.dat
Removed! : C:\WINDOWS\rnbsga.dat
Removed! : C:\WINDOWS\rnlper.dat
Removed! : C:\WINDOWS\rseqbh.dat
Removed! : C:\WINDOWS\srcrxe.dat
Removed! : C:\WINDOWS\sysgw.exe
Removed! : C:\WINDOWS\sysin.exe
Removed! : C:\WINDOWS\vmjsrg.dat
Removed! : C:\WINDOWS\winlk.exe
Removed! : C:\WINDOWS\winxf.exe
Removed! : C:\WINDOWS\xekawm.dat
Removed! : C:\WINDOWS\ynwzss.dat
Removed! : C:\WINDOWS\zrznqy.dat
Removed! : C:\WINDOWS\System32\apikp.exe
Removed! : C:\WINDOWS\System32\appcz.exe
Removed! : C:\WINDOWS\System32\atlau.exe
Removed! : C:\WINDOWS\System32\atliw.exe
Removed! : C:\WINDOWS\System32\atlvk.dll
Removed! : C:\WINDOWS\System32\atlwj32.exe
Removed! : C:\WINDOWS\System32\crjs.exe
Removed! : C:\WINDOWS\System32\crqf.exe
Removed! : C:\WINDOWS\System32\crti32.exe
Removed! : C:\WINDOWS\System32\d3kb.exe
Removed! : C:\WINDOWS\System32\iswbo.dat
Removed! : C:\WINDOWS\System32\javafq.exe
Removed! : C:\WINDOWS\System32\javail.exe
Removed! : C:\WINDOWS\System32\javair32.exe
Removed! : C:\WINDOWS\System32\mscg32.exe
Removed! : C:\WINDOWS\System32\ntux.exe
Removed! : C:\WINDOWS\System32\sdkjw32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed __NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.26
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

#4 Derith

Derith

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 12 July 2004 - 10:15 PM

It looks like nearly all the problems are gone. AboutBuster appears to have missed a file though. We'll get rid of that plus a few other leftovers.

Close Internet Explorer and all other open windows.

Run HijackThis and click Scan. Place a check next to the following lines.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {10FEB7E7-4A2D-6D1F-3B9F-8F9FEE32D825} - C:\WINDOWS\system32\atlvk.dll (file missing)
O4 - HKLM\..\Run: [syspy32.exe] C:\WINDOWS\syspy32.exe
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} - http://webpdp.gator....ptdmgainads.cab
O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator....094_hd3ptdm.cab

Click 'Fix Selected' and close Hijack.

Now we need to reboot into Safe Mode. How to boot into safe mode

The following files and folders need to be deleted. Make sure your settings allow you to view 'Hidden files'. Open up any explorer window and click on 'Tools' -> 'Folder Options' -> 'View' and be sure to check off 'Show Hidden Files and Folders'.
  • C:\WINDOWS\syspy32.exe
Clearing Temp Files
  • Click on Start then Run, type cleanmgr and press ok.
  • Select the drive Windows is installed on (usually c:) and press ok.
  • Make sure Downloaded Program Files, Tenporary Internet Files, Recycle Bin, and Temporary Files are checked, press ok, then click Yes to confirm.
Reboot back into normal mode and post a fresh Hijack log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button