Jump to content


Photo

Removal of various -ware junk


  • Please log in to reply
15 replies to this topic

#1 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 July 2004 - 04:16 PM

Could someone tell me what here I should delete? Here's my log file:

Logfile of HijackThis v1.98.0
Scan saved at 5:05:38 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C8C04DE8-E263-4F41-ABED-C82309B50170} - C:\WINDOWS\System32\ienkc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Ad Guard - {CE0A34D3-C30F-4F3D-B0D3-9B936EDFBD91} - C:\Program Files\\AdGuard\AdGuard.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Account Setup.lnk = C:\Program Files\Verizon Online\VOLSW\Accstp4.0.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C491B0DA-30B0-42E2-984F-78BA47F6BAAB}: NameServer = 151.197.0.39 151.197.0.38
O18 - Filter: text/html - {81F42825-5A6D-4F4D-A71B-E7692432F882} - C:\WINDOWS\System32\ienkc.dll
O18 - Filter: text/plain - {81F42825-5A6D-4F4D-A71B-E7692432F882} - C:\WINDOWS\System32\ienkc.dll
O20 - AppInit_DLLs: C:\WINDOWS\

#2 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 July 2004 - 04:29 PM

Here is an updated list after I allowed myself to view hidden files

Logfile of HijackThis v1.98.0
Scan saved at 5:28:24 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Berts\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C8C04DE8-E263-4F41-ABED-C82309B50170} - C:\WINDOWS\System32\ienkc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: Ad Guard - {CE0A34D3-C30F-4F3D-B0D3-9B936EDFBD91} - C:\Program Files\\AdGuard\AdGuard.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Account Setup.lnk = C:\Program Files\Verizon Online\VOLSW\Accstp4.0.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C491B0DA-30B0-42E2-984F-78BA47F6BAAB}: NameServer = 151.197.0.39 151.197.0.38
O18 - Filter: text/html - {81F42825-5A6D-4F4D-A71B-E7692432F882} - C:\WINDOWS\System32\ienkc.dll
O18 - Filter: text/plain - {81F42825-5A6D-4F4D-A71B-E7692432F882} - C:\WINDOWS\System32\ienkc.dll
O20 - AppInit_DLLs: C:\WINDOWS\

#3 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 23 July 2004 - 05:24 PM

Hello Bertsmusic, and welcome to the forums. Please print out my instructions for reference during the fix.

I believe I have a solution for this problem. Try and bear with me, for it is quite extensive.

1. Double-click My Computer.
2. Click the Tools menu, and then click Folder Options.
3. Click the View tab.
4. Clear "Hide file extensions for known file types."
5. Under the "Hidden files" folder, select "Show hidden files and folders."
6. Clear "Hide protected operating system files."
7. Click Apply, and then click OK.

Now navigate to:
C:\WINDOWS\system32\dllcache\notepad.exe <--file and right click it.
Choose copy from the menu.
Now go back one folder to:
C:\WINDOWS\system32 <-- folder and click on an empty spot in the right hand pane. Then right click there and select copy from the menu.

Now go back another folder to:
C:\WINDOWS <-- folder and do the copy thing again.
(click on an empty spot in the right hand pane. Then right click there and select copy from the menu.)

Close Explorer.

Go to start > run > type notepad enter.

Now copy and paste the bold below into that notepad file:


Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

From the top menu, select > save as > select the desktop to *save in*

name the file Appinit.bat

in the *save as type* box select *All Files*

Now click *save*

Go to your desktop and double click the Appinit.bat file you just created.

If it was done correctly...This will create a file on the desktop named windows.txt
Copy and paste the contents of that file into your next reply.

#4 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 July 2004 - 10:39 AM

Here is the contents of that file. Thanks for your help!!

regf Pugfhbinnk,\p0x0:yTimWindowsskxx ! !?  ?$?[;8X jP[;8X jP[;8X jPvk |AppInit_DLLs'C:\WINDOWS\ystem32\ctln.dllvkHsDeviceNotSelectedTimeout15(90|\|vk'GDIProcessHandleQuotaeNovkdlSpooleryeseouthvkswapdiskvkXNTransmissionRetryTimeouthPvk'USERProcessHandleQuota

#5 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 July 2004 - 10:41 AM

Here's a question:

What did you mean for this:

{Now navigate to:
C:\WINDOWS\system32\dllcache\notepad.exe <--file and right click it.
Choose copy from the menu.
Now go back one folder to:
C:\WINDOWS\system32 <-- folder and click on an empty spot in the right hand pane. Then right click there and select copy from the menu.

Now go back another folder to:
C:\WINDOWS <-- folder and do the copy thing again.
(click on an empty spot in the right hand pane. Then right click there and select copy from the menu.)}


I couldn't copy an empty space on the right pane, it wouldn't even give that option. I could paste it, though. Did you mean copy and then paste?
Because I can do that. Let me know! Thanks!

#6 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 27 July 2004 - 01:19 PM

Yes, you were supposed to paste it. That was a typo on my part. I apologize.

#7 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 July 2004 - 10:16 AM

Forget about it. Here is the proper copy of the windows.txt file. Should it be this way?

regf       Pugf hbin  nk, \p  0 x 0 : yTim Windows sk x x             !    !  ?          ?       $ ?    [;8X j P      [;8X j P   [;8X j P vk     | AppInit_DLLs' C : \ W I N D O W S \ y s t e m 3 2 \ c t l n . d l l   vk  H   s DeviceNotSelectedTimeout1 5  ( 9 0 | \| vk  '    GDIProcessHandleQuotaeNovk     dlSpooler y e s eout   h   vk    swapdiskvk  X   N TransmissionRetryTimeout  h    P vk  '   USERProcessHandleQuota



Thanks!

#8 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 29 July 2004 - 04:21 PM

Any luck, Gravy?

#9 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 29 July 2004 - 09:08 PM

Bertsmusic,

:D That's what I was looking for. Please print out these instructions for reference during the fix.

Windows.txt reveals that the super hidden reinstalling file name is:
C:\WINDOWS\System32\ctln.dll

Now we just need to nuke it.

The removal method is a tad different depending on your version of XP and your type of file structure.

Are you running XP Home or Pro and is your file system FAT32 or NTFS?
Look in My Computer. Right click the C drive and choose properties to find the File System .

I will give you instructions for each. Pick the one applicable to you.

........................................................................................................

Download the zipped file below to your desktop:
http://computercops....ownload&id=2028

Sign off the internet and stay off until all of these steps have been completed.

Extract (unzip) the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box.

It is critical that you do not run it from the zipped folder. To extract (unzip) it.... right click the .zip file on your desktop and select *extract all files* Follow the extraction Wizard (keep clicking next) and by default the extracted (unzipped) hiving folder will be placed on your desktop. Open the hiving folder and inside will be a file named hiving.bat.

Double click on hiving.bat to run it and the reboot to safe mode (tap the F8 key at boot to enter safe mode).

After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.
..........................................................................................................

Once in safe mode the instructions will be the same for Home and Pro versions with NTFS file structure.

Like so....

Once in safe mode, Navigate to and right click this file and select properties:
C:\WINDOWS\System32\ctln.dll <-- file

use the security tab on the file and take ownership.
How to take ownership of a file or folder in Windows XP

Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Then if that fails try to rename it again to different name+ext.

Ex:
ctln.dll > baddie.txt
baddie.txt > badfile.111
Few times... Etc.

..............................................................................................

for FAT32 file structure:

Once you are in safe mode,
Right click on the file. Click Properties
from the menu.
Uncheck the Read Only box.
Delete the file.
..............................................................................................


Once you have successfully deleted C:\WINDOWS\System32\ctln.dll please do these:

Navigate to:
C:\Documents and Settings\Berts\Local Settings\Temp <-- folder...and delete the entire contents of the temp folder (select all files, but not the folder itself)
Then empty the recycle bin.

Reboot normally....

Immediately run AdAware:
Download the latest version of Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
http://www.lavahelp....dref/index.html
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."
(More info here... http://www.lavahelp....awaretweak.html )
Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:
Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"
Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

then these....
Get and run the newest version of CWShredder:
Download CWShredder:
http://www.spywarein.../CWShredder.exe
Double click and hit the ->fix button to fix all found problems
Reboot.

then Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Turn ON System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Next a full scan here and let it clean:
http://housecall.tre.../start_corp.asp
Reboot when done.

Finally go to Start > Run > type or paste:
sfc /scannow
enter and let it run. Have your XP cd handy. You will only need it if the computer asks for it during the scan.

Now reboot again and show us a fresh HijackThis log please.

Good luck.

#10 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 30 July 2004 - 02:26 PM

I'll say its super hidden. Thats why I couldn't find it I guess.

I'll get right on this, so wait for my reply. Thank you endlessly!

#11 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 30 July 2004 - 03:12 PM

Alright,

I did what you said, exactly as you said to, and when I went into safe mode, the file was not there. Could it be because I'm running "XP HOME"? When I was running the .bat file, Zone Alarm kept telling me that all these different programs were trying to access the internet. You told me that I shouldn't be on the internet, so I denied them permission, thinking it wouldn't have caused a problem. Did it? If I did anyhting wrong, I'm sorry. Believe me I don't want to waste your time.

Thanks!

#12 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 30 July 2004 - 03:26 PM

Plus, did you notice how the text file calls it "ystem32\" and not "System32\"?
Is that strange or normal?

#13 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 31 July 2004 - 11:11 AM

It's normal for it to be "ystem32" in the text file. Let me know how this works for you.

#14 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 August 2004 - 09:54 AM

It didn't work. When I went into safe mode, the file wasn't there. What now?

#15 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 03 August 2004 - 11:14 AM

Hello?

#16 bertsmusic

bertsmusic

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 04 August 2004 - 09:18 AM

Bumpitty Bump.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button