Author Topic: NEED HELP (Read 2121 times)

-3dg3- · « **on:** February 05, 2005, 03:51:16 PM »

i have got spyware or a virus that i cannot get rid of it has hijacked my desktop background i ran many trial virus scans, spybot, and adaware

heres my hjt
Logfile of HijackThis v1.99.0
Scan saved at 3:13:54 AM, on 2/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\sdkrk.exe
C:\WINDOWS\sysmo.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Steam\Steam.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\likcl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EADD5986-0880-D4A7-5AF8-F6A41A46F8BA} - C:\WINDOWS\sysyq.dll
O4 - HKLM\..\Run: [sysmo.exe] C:\WINDOWS\sysmo.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvbwr32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\RunOnce: [sdkrk.exe] C:\WINDOWS\system32\sdkrk.exe
O4 - HKCU\..\Run: [Steam] "c:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\apijv32.exe (file missing)

thnx

-3dg3- · « **Reply #1 on:** February 05, 2005, 05:57:54 PM »

come on ppl i need help my pc is runnin slow as hell and i dont no what to do PLZZZZZZZZZZZZZZZZZZZ!!!!!!!!!!!!!!!!

guestolo · « **Reply #2 on:** February 05, 2005, 06:11:44 PM »

What is the background of your Desktop look like?

Could you Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Please don't restart your computer again after supplying the Post_This.txt

If you do you will have to supply a new Hijackthis log and Post_This.txt

-3dg3- · « **Reply #3 on:** February 05, 2005, 08:27:14 PM »

the background is all black with the text "Warning You are in Danger, then some more stuff explaining how i am at risk and that is all in a box surrounded by a dashed line and at the very bottom of the box it has a link that says removal instructions

hey is the "POST_THIS" from the service filter:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600
Feb 5, 2005 8:24:08 PM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: Adobe LM Service
Display Name: Adobe LM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Adobe LM ...
Service Type: Own Process
Path: "c:\program files\common files\adobe systems shared\service\adobelmsvc.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: kavsvc
Display Name: kavsvc
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\kaspersky lab\kaspersky anti-virus personal\kavsvc.exe
State: Running
Process ID: 248
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: PackethSvc
Display Name: Virtual NIC Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\packethsvc.exe
State: Running
Process ID: 172
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #4
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{916f429c-2e3c-4998-ba0c-336bdbe63323}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 5
Service Name: %AFå¤¶À¨
Display Name: Remote Procedure Call (RPC) Helper
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\apijv32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 82 Win32 services on this machine.
5 were unrecognized.

Script Execution Time: 4.40625 seconds.

guestolo · « **Reply #4 on:** February 05, 2005, 09:50:57 PM »

I'm going to ask you to edit the registry
Beforehand please create a fresh Restore point
===Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a Restore point
Name it and click Create
This is just to ensure you have a backup from this point on

After that is done

===Create a New folder on your Desktop, call it AboutBuster
Download to desktop ABOUT:BUSTER.zip
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Download the updates
Exit out
Don't run a Scan yet

===Download DelDomains.inf

http://www.mvps.org/winhelp2002/DelDomains.inf and save it to desktop
If using the mozilla browser, you may have to right click on that link and "Save link as"
We'll need this later

===Download and save to desktop Cwsserviceremover.zip
UNZIP the contents to your desktop
We'll need this later

===Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When Install Ad-Aware it may Update and start running a scan
Allow it to update, but don't run a scan yet
Ensure you check for updates however

===Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

PRINT this out or save to a Notepad file on your desktop
===Please Disconnect from the Internet, know how to Start into safe mode, I supplied a link below if your unsure how to......

===# Open Registry Editor. Click Start>Run, type REGEDIT
then press Enter.
# In the left panel, expand(+) the following
+HKEY_CURRENT_USER
+Software
+Microsoft
+Internet Explorer
+Desktop
+Components
# Still in the left panel, locate and Right click on and delete the subkey:
0
# Close Registry Editor.

RESTART your Computer in SAFE MODE

===Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Remote Procedure Call (RPC) Helper <--look carefully, there are others that are similiar, but not exact name
Double click on it--- STOP the service
In the drop down menu, change the startup type to Disabled

===Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill these processes if running
C:\WINDOWS\system32\sdkrk.exe
C:\WINDOWS\sysmo.exe

===Stay in safe, find and delete these files or folders if they exist
C:\WINDOWS\system32\sdkrk.exe <--this file
C:\WINDOWS\sysmo.exe
c:\windows\apijv32.exe
C:\windows\system32\kalvbwr32.exe

Also look for these ones related to Smart Security
Using Windows Explorer and/or Search, locate and delete the following files
they are in bold >>>Not all may exist
•C:\WINDOWS\desktop.html '
C:\WINDOWS\Web\desktop.html
• C:\WINDOWS\SSICO.ICO
• C:\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
• C:\Documents and Settings\<current user>\Favorites\! Smart Security.url
• C:\Documents and Settings\<current user>\Recent\! Smart Security.url
• C:\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url

NOTE:<current user> indicates user having problems with desktop

===In safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\likcl.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\likcl.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\likcl.dll/sp.html#12345

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EADD5986-0880-D4A7-5AF8-F6A41A46F8BA} - C:\WINDOWS\sysyq.dll
O4 - HKLM\..\Run: [sysmo.exe] C:\WINDOWS\sysmo.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvbwr32.exe

O4 - HKLM\..\RunOnce: [sdkrk.exe] C:\WINDOWS\system32\sdkrk.exe

O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\apijv32.exe (file missing)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Again, in safe mode
===Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

===Double click on cwsserviceremove.reg you unzipped to desktop earlier
and Allow it to merge to the Registry

===Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

===Open HOSTER and click on "RESTORE ORIGINAL HOSTS"

===Open Ad-aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to Normal mode to finish the cleaning process

===Run a scan again with About:buster again and save the log

===Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

===Look in your C:\Windows\system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===Do an online Virus scan at Trend Micro's>>Set to Autoclean
http://housecall.trendmicro.com/

===Do another scan with hijackthis and save the log and post it back here
Also post back with the about:buster logs
Do as much as you can from the above and post back the logs regardless

-3dg3- · « **Reply #5 on:** February 05, 2005, 11:47:33 PM »

ok done with steps above

hjt:

Logfile of HijackThis v1.99.0
Scan saved at 11:46:32 PM, on 2/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\PROGRA~1\PicoZip\PicoZipTray.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [Steam] "c:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PicoZip] C:\PROGRA~1\PicoZip\PicoZipTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

AboutBuster:

Scanned at: 10:48:59 PM on: 2/5/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\bfqhu.dat
Removed! : C:\WINDOWS\yjsix.dll
Removed! : C:\WINDOWS\System32\awghm.dat
Removed! : C:\WINDOWS\System32\mezll.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-thnx so far u got rid of the background thing and i also am not getting any pop-ups

guestolo · « **Reply #6 on:** February 06, 2005, 03:10:32 AM »

This pest has a tendency of deleting SDHelper.dll
===If you have SPYBOT 1.3 installed
Look for SDHelper.dll in your C:\Program Files\Spybot - Search & Destroy folder
If it's not there download this zip file SDHelper13.zip
Save the Zip file to your desktop and Unzip it to your C:\Program Files\Spybot - Search & Destroy folder
To ensure it's enabled...Open Spybot>>Immunize
Put a tick next to "Enable Permanent blocking of bad addresses in IE"

A little added protection in Spybot
Click Immunize>>OK>>Immunize at the top
Do this after every update

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Clean those Temp folders, you should regularly(At least once every couple weeks)
If you would like to try this free utility to do it for you
Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Open Windows CleanUp>>>START>>All Programs>>CleanUp
Click the CleanUp button, let it finish scanning for files and then Log off and back on again

IF your version of Windows is Legit
There is no reason to be so far behind on Windows Updates
This is important in keeping your system secure
You should be able to Install Service Pack 1a from this link
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

Once Installed you will be prompted to restart your computer. Reboot and Go back to Windows updates and check for and install Latest Critical updates
Don't install the Recommended updates unless they are something you want or need

If your ready to jump to SP2
Be sure your system is prepared
There's a few steps I like to do beforehand if you need a hand with it
Let me know
But at minimum install SP1a if your version is legit

guestolo · « **Reply #7 on:** February 06, 2005, 02:24:21 PM »

I just realized I didn't supply a link to Hoster

Could you open Hijackthis>>Open Misc tools>>Open Hosts file Manager
click the "Open In Notepad"
Copy and paste back here the whole hosts file notepad file

TheTechGuide Forum

News:

Author Topic: NEED HELP (Read 2121 times)

-3dg3-

NEED HELP

-3dg3-

NEED HELP

guestolo

NEED HELP

-3dg3-

NEED HELP

guestolo

NEED HELP

-3dg3-

NEED HELP

guestolo

NEED HELP

guestolo

NEED HELP