• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
ChrisB

Home Search, Only the Best, and Search Extnder

93 posts in this topic

Hi,

 

I am Chris and I don't know a lot about computers... I have the latest versions of HiJack This, CWShredder, About:Blank Buster, and Spybot... None of these programs are removing my hijackers... I get a homepage that Says "Home Search," and every time I try to use a search engine I get an extra page pop up saying "Searching the Search Engines..." They are both classic hijackers. I also keep getting pop ups from something called "Only the Best," which is full of porn and spyware products... I have tried all of the above removal tools, but they do not help at all. I am not a computer expert, I only know how to use one. I am not familiar with all the computer jargon. I do not know how to do most of what has been previously described as remedies... If anyone at all can help me, I would appreciate it, and I would contribute to this site if that is possible... PLEASE HELP ME, SOMEONE! I have a brand new computer and it's being ruined!!!

 

Sincerely,

Chris

Share this post


Link to post
Share on other sites

Hi Chris, please download HijackThis v1.98 here.

Unzip to a convenient permanent folder, for example: C:/HiJackThis/HiJackThis.exe

Double click HijackThis.exe, and hit "Scan". The scan button will turn into "Save Log" copy and paste the fresh log here...

Share this post


Link to post
Share on other sites

I do not know how to paste the HiJack This Log to this site... As I said earlier, I am not a computer expert, I am more like barely competent... Can anyone offer any help for me??

Share this post


Link to post
Share on other sites

No problem chris,

Doubleclick on Hijackthis.exe, press scan. When the scan completes the 'scan' button will change into a 'save log' button. Press that. Your log will be open in notepad. Press ctrl+A to select everything, then ctrl+C to copy it all. Click on add reply in this thread and click in the reply window and press ctrl+V to paste your log.

Share this post


Link to post
Share on other sites

OK! Here it is, I hope to soon figure this out... One thing though, there has been something added to my system within My Computer in Documents and Settings... This is the Only the Best pop up spyware... I cannot delete it; I have System Mechanic 4.0 and it won't send it to the incinerator....

 

Logfile of HijackThis v1.98.0

Scan saved at 6:16:29 PM, on 7/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\ieon32.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\sysun.exe

A:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xptrh.dll/index.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll

O4 - HKLM\..\Run: [sysun.exe] C:\WINDOWS\system32\sysun.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Share this post


Link to post
Share on other sites

Chris, have you fixed anything with HijackThis prior to this? I ask because I'd expect a lot more things listed between the R3 - and the 017 - if you have we can put it back because HijackThis should have made a backup.

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for responding... Yes I have used Hijack This many times as I tend to get lots of these problems... I just downloaded the latest version ( I think it is 1.98 or something?) yesterday from this site... I have been using CWShredder, Hijack This, Spybot, and About Buster. Last time I used them was midday today...

 

Chris

Share this post


Link to post
Share on other sites

In the last few times you used HijackThis did you place a tick next to some items and hit 'fixed checked' at the moment it looks like you have no programs running at startup, no toolbars, no anything in fact!

Share this post


Link to post
Share on other sites

Yes I have clicked fix many times in the past and recently... I usually find that that helps my problems... I usually fixed everything listed... I guess that was bad?

Share this post


Link to post
Share on other sites

Its ok, we should be able to sort it out. Most of it is harmless. Open Hijackthis, in the bottom right hand corner click 'config' then at the top hit 'backups' seclect everything listed from the first backup and click 'restore'. Exit Hijackthis and reboot your pc. Scan with spybot and adware and reboot. Re-run Hijackthis and paste a new log as before (don't fix anything) . I'm at work right now and won't be able to reply until lunchtime. If you look in about 3hrs I should have replied. If possible please don't turn off your pc until after then.

Edited by Scoff

Share this post


Link to post
Share on other sites

That is fine... I can wait until you have the time. I will do what you suggest and I can leave the computer on until then.

Share this post


Link to post
Share on other sites

If you do that and post the log now, i can get straight in to it and have a fix by lunchtime.... :)

Share this post


Link to post
Share on other sites

Hi,

 

I will try to do that here in the next few moments; I am sorry for taking so long but I had another matter to take care of... Take your time-I'm sure it can be worked out since you said it was mostly harmless...

Check back when you can...

Share this post


Link to post
Share on other sites

The contents of the full log are mostly harmless and sometimes essential, which is why we need to restore them. About adaware - my mistake. So, the order is - if you restore the backup from hijackthis, reboot, scan with spybot, reboot, install & scan with ad-aware, reboot, post a fresh log. Instructions for ad-aware below - it may help to print them.

 

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.

Share this post


Link to post
Share on other sites

After restoring all that was in the list in Hijack This-Here is the result...

 

Logfile of HijackThis v1.98.0

Scan saved at 10:59:07 PM, on 7/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\ieon32.exe

C:\WINDOWS\system32\sysun.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

A:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xptrh.dll/index.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll

O4 - HKLM\..\Run: [sysun.exe] C:\WINDOWS\system32\sysun.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Share this post


Link to post
Share on other sites

Here is the new Hijack This log after I restored all that was in the list....

 

Logfile of HijackThis v1.98.0

Scan saved at 11:03:48 PM, on 7/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\ieon32.exe

C:\WINDOWS\system32\sysun.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

A:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xptrh.dll/index.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xptrh.dll/sp.html#26512

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xptrh.dll/index.html#26512

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll

O4 - HKLM\..\Run: [sysun.exe] C:\WINDOWS\system32\sysun.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Share this post


Link to post
Share on other sites

Im very sorry but i have a problem with ad aware.... I dowloaded it and saved it but when i click on it it just takes me through the installation process again without launching it... Sorry...

Share this post


Link to post
Share on other sites

You may be double clicking the installation icon again rather than the new program icon that should be on the desktop, try looking for another icon or from the program list in your start menu.

Share this post


Link to post
Share on other sites

Ok chris - I've got to go for now but I've asked for someone to have a second look at this before we clean up anything. I should be back later today - back to work now :thumbsdown:

Share this post


Link to post
Share on other sites

I have looked at that about blank buster from ducky earlier, but I don't really understand his directions- I don't know what safe mode means and how to get there and I don't know what R1 etc means.... I am far from being familiar with these technical problems.... :unsure:

Share this post


Link to post
Share on other sites

First use about.buster after downloaded and run it. Make sure you have all Explorer windows closed. Also notice how all the virus files are variants of mdfgt32.dll or .cab. Those are the ones you're looking for. If they are still running after you call up Task Manager (ctrl-alt-del)..just look for any that about.buster says it has an error removing in your task manager file (if any).

 

Again follow these instructions in the link I provided above...really simple...just scroll down to them

 

I have seen many people posting on this and other forums to view this page on how to remove. Now most of you never get to the end of this topic. There is a new fix out. Follow the fix below...

 

Download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log in post you came from.

 

This post has been edited by RubbeR DuckY on Jul 6 2004, 01:01 PM

 

 

--------------------

 

Ducky - Proud Developer of About:Buster.

Visit the About:Buster forums here

 

Hijack This - Help Page and Download Page Here

Share this post


Link to post
Share on other sites

Well Gee... Now my Hijack This won't work... When I try to fix the BHO and 04 like About:Buster says to do, I get an error message saying an unexpected error has occured from merijn.... :eek:

Share this post


Link to post
Share on other sites

I am giving up on this for tonite. If anyone thinks they can offer any assistance, I would love to hear it... Keep posting and I will get back with you tomorrow in the afternoon... My HiJack This still gives me an error message when I try to fix the BHO and 04 listing in the scan... Dunno why...... :wave:

Share this post


Link to post
Share on other sites

Chris,

 

Good news, I finally did it, go to the thread between Liorajane and Fireflyer. Follow it exactly, mines working great now.

 

Good luck

Brian

Share this post


Link to post
Share on other sites

Hi Chris

 

Can you give the full error message you get when Hijackthis stops... when we sort that we'll remove one of the infections with about buster and see about the missing entries in your log.

Share this post


Link to post
Share on other sites

Error Message says:

 

An unexpected error has occured at procedure: cmdFix_Click()

Error #75 - Path/File access error (14 items in results list)

 

Please email me at merijn@spywareinfo.com, reporting the following:

*What you were doing when the error occured

*How you can reproduce the error

*A complete Hijack This scan log, if possible

 

Windows version: Windows NT 5.01 .2600

MSIE version: 6.0.2800.1106

Hijack This version: 1.98.0

 

This message has been copied to your clipboard.

Share this post


Link to post
Share on other sites

Hi chris

 

It will help to print this out as most of it will be done offline.

 

If you have hijackthis on a floppy, please move it to its own directory in c: In windows explorer highlight C: go to file > new > folder and call it HJT or hijackthis. Run it from there rather than A: Can you also double check that ad-aware is set up as per the previous instructions.

 

1. Download the latest version of About:Buster from http://www.ducky.atribune.org/ make sure it is on your desktop - it needs to be run from there.

 

2. Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

 

3. Run About:Buster while you are in Safe Mode.

Hit Ok on the first prompt, Start on the second. Then Ok to start the removal. A log will start to form. After the program runs. Save the log somewhere.

 

The hit Ok again to start a second scan, save that log also.

 

Scan with ad-aware.

 

Now reboot normally. When done, go to start > run and type msconfig in the window and hit enter. When the box appears select normal startup and under the system.ini - win.ini - services and startup tabs click 'enable all' if not already done. Hit ok and reboot normally again.

 

Run hijack this and post the new log and the two reports from about buster.

 

Its going to get a bit confusing chasing down links posted by other people, have a look at this. The other posts are correct in essence but you should only follow advice from people recognised at the forum.

http://forums.spywareinfo.com/index.php?showtopic=148

Edited by Scoff

Share this post


Link to post
Share on other sites

I have moved Hijack This to my C drive to the best of my ability... I didn't quite understand all of the directions... I will move About: Buster to the C drive also. I believe Ad Aware is downloaded to my computer correctly... I have the icon on my desktop and it seems to be working normally...

 

Chris

Share this post


Link to post
Share on other sites

I followed your directions in safe mode as suggested except for saving the log of About:Buster... I saw no way of saving the log, there was nothing that said save on it to click after I scanned... There have been some changes... After I rebooted normally, the Home Search seems to be gone... When I clicked on IE, I was taken to Google... It seems the homepage hijack is gone. I do think that the Only the Best spyware remains and my Spybot is still placing a warning popup on my screen every so often telling me that it has detected an important registry entry that has been changed... It tells me that a entry has been added called syslc32.exe.

Share this post


Link to post
Share on other sites

For sure Only the Best remains- I just had another pop up... And when I click on Deny Change when the Spybot warning comes up, it repeats poping up numerous times every few seconds....

Share this post


Link to post
Share on other sites

Chris

 

If AboutBuster is not on the desktop, can you open up windows explorer and go to the folder you have saved it in and drag the icon out of explorer and into the background screen you see when your pc starts - the desktop. If you have all windows closed you should see the icon for it somewhere on screen.

 

Reboot into safe mode and can you run about buster again, double click the icon you see on screen, when the report pops up at the end of the scan, click in the window, press ctrl+A to select it, then ctrl+C to copy it, open the program notepad or wordpad (which ever you have) and press ctrl+V to paste it. Then save it as AB1.txt or similar. Now reboot normally.

 

Please make sure you followed the section about 'enabling all' in start > run > msconfig - if you did not do it last time - do it now. If you did it last time, thats good - just let it reboot and go on to the next step.

 

When you boot up normally can you run Hijackthis again from its location C:Hijackthis (whatever you called the folder) perform a scan and copy and paste the results here, open up the saved file AB1.txt and copy and paste the about buster report into here as well.

 

This will let us know how well it worked and what is left to do.

Share this post


Link to post
Share on other sites

OK here isthe scan from Hijack This... I could not copy or paste the scan from About Buster-when I clicked on ctrl A and ctrl C, nothing happened...

 

Logfile of HijackThis v1.98.0

Scan saved at 9:23:14 PM, on 7/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\ieon32.exe

C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\nethd.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\SHAUNB~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {26EB855E-8020-394A-64FD-DB123824DB35} - C:\WINDOWS\javapn.dll

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Documents and Settings\Shaun Blankenship\Spybot - Search & Destroy\TeaTimer.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{2749E0A5-2ADD-4C0E-ACE4-35E22A9BF0F1}: NameServer = 12.150.146.200 12.150.144.1

Share this post


Link to post
Share on other sites

My Spybot popup warnings continue almost continuously now... Last one was something called nethd.exe in the Global Startup category...

Share this post


Link to post
Share on other sites

When you hit ctrl+A then ctrl+c before you will have copied it to the clipboard - going into notepad and pressing ctrl+v should have made it appear.

 

Run about buster normally (don't boot into safe mode). Right click anywhere in the white area and select 'select all' press ctrl and C at the same time. Then connect to the internet, come here and in add reply, click in the white reply box and press ctrl+v just like you pasted the hijack this log.

 

It will look like this (the actual text will probably be a bit different from your pc)

 

-- Scan 1 --------

About:Buster Version 1.27

Attempted Clean Of Temp folder.

Pages Reset... Done!

Share this post


Link to post
Share on other sites

OK- Here is the scan from About: Buster...

 

-- Scan 1 --------

About:Buster Version 1.31

Removed! : C:\WINDOWS\czqxku.dat

Removed! : C:\WINDOWS\nethd.exe

Removed! : C:\WINDOWS\xptrh.dll

Removed! : C:\WINDOWS\System32\sfsic.dat

Removed! : C:\WINDOWS\System32\ubqyz.dat

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

Then reboot

 

Edit : I'm going to ask someone to help with the next step , please don't do anything else yet.

Edited by Scoff

Share this post


Link to post
Share on other sites

I just completed the reboot and Spybot warned me of the About: Blank hijack trying to change my homepage and an msse.exe entry...

Share this post


Link to post
Share on other sites

Chris,

 

Although AboutBuster worked you also have another different About:Blank hijack. I've asked an expert to help with this.

Share this post


Link to post
Share on other sites

Hi guys - could you post a new HJT log for me, make sure that you don't have anything in the ignore list. Also click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0