Posts by dlh6213

Hi r_evans, welcome to DaniWeb :D

I've split your post into it's own thread per the site rules:
"Every question or new thought should have its own thread. Replies to a previous post should be thread replies to that particular thread. Do not piggyback threads by posting your question as a reply to another question"

Forum rules can be found here: http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq
Please follow the suggestions in the following threads:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

Include Ewido in that list of suggestions, scan with it in Safe Mode (reboot and repeatedly press F8 as it's restarting) and allow it to fix whatever it finds; pay attention to where the log is saved so you can post it in your next reply.

Reboot normally when the Ewido scan is complete.

Then follow the guidelines in this thread:

http://www.daniweb.com/techtalkforums/thread28196.html

Finally, close any open browser windows, Scan and Save Log with HJT, and post the log along with the Ewido log.

Please go to this thread and follow the instructions for using HijackThis:
http://www.daniweb.com/techtalkforums/thread28196.html

After you've finished the general cleanup and program removal steps, go to post #6.

After you've completed the steps in post #6, post a new HJT log and try again to post the Ewido log (remember to scan in Safe Mode with Ewido).

Update about:Buster

Reboot into Safe Mode

Disable BHO Demon

Scan with about:Buster

Reboot normally

Close any open browser windows, scan with HJT, and post a new log please.

You could have included what Punkbuster actually is (so we wouldn't have to look it up), and what specifically you've tried (instead of just saying "everything"). Also, the log from whatever you tried could have been posted as someone else may spot something you could have overlooked.

After you've gone through the 'pinned' threads, if you haven't resolved your problem, please post a HijackThis log here in this thread.

Hi Shane,

For future reference, if you don't get a reply to a post, you can 'bump' it to the top of the forum by simply making another post in the existing thread yourself rather then starting a new thread.

Also, by looking through your past threads, it appears you seem to keep getting reinfected on a (roughly) monthly basis. To help prevent this, you should review the 'pinned' topics at beginning of this forum (regarding protection, cleaning, and specific fixes).

Go to Add/Remove Programs in your Control Panel and remove (if present):

180Solutions
Media Gateway
Viewpoint (or Viewpoint Manager, ViewMgr, or something similar)

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [370n10rk] C:\WINDOWS\system32\370n10rk.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball...tgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W...e/bridge-c9.cab
O16 - DPF: {1C763326-813B-466F-AF7A-8618C10955D6} (SysCheck.SystemCheck) - http://services.yummy.net/download/WebInstall.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab31267.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v4...x/blockwerx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1093733159796
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOA...tallerProj1.cab

Actually, I decided to try Firefox :)

And I can say that I'm satisfied enough with it that I haven't tried any others and I use it most of the time now.

For me, it's not faster as others have claimed, it's actually a bit slower if anything. But I get far fewer popups.

Both Firefox and IE have their advantages and disadvantages, so I can't really say one is better then the other based purely on 'feel.' But for safer browsing, Firefox is the better choice of the two, in my opinion.

Without more information, about all I can suggest is to review the 'pinned' threads at the top of this forum to see if there's anything you haven't tried yet.

Hi Brandon, welcome to DaniWeb :D

Start with this:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Reboot into Safe Mode.

Then scan with HijackThis and have it fix the following entries:

O2 - BHO: (no name) - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - (no file)
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\bp_bg.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\bp_bg.exe
C:\WINDOWS\web\related.htm

Do a search for msdirectx.exe and delete any instances found.

Empty your Recycle Bin and reboot normally.

Follow the recommendations in this thread to cleanup your temporary files and such:
http://www.daniweb.com/techtalkforums/thread27570.html

And finally, close any open browser windows, scan with HJT, and post a new log please... and let us know if msdirectx is still causing problems.

Hi Paul, welcome to DaniWeb :D

Please follow the instructions in post #4 of this thread:
http://www.daniweb.com/techtalkforums/thread28196.html

Hi SilentK, welcome to DaniWeb :D

Scan with HijackThis and have it fix the following entry:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www196.paypopup.com/links.ph...rame=false&bk=2

Close any open windows, other then HijackThis, before hitting Fix checked.

Download, install, and update Ewido , but don't scan with it yet:
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1

Reboot into Safe Mode.

Scan with Ewido, allowing it to fix whatever it finds (note: you will be posting the log from this scan in your next reply).

When it has finished, reboot normally.

Close any open browser windows, scan with HJT, and post the new llog along with the Ewido log.

Hi Taimaishu, welcome to DaniWeb :D

Please follow the suggestions in these threads to help protect your computer and start the cleanup process:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

Hi Lee, welcome to DaniWeb :D

Your computer may have an image installed on a hidden partition; look through the literature that came with it or contact the dealer you purchased it from for instructions on how to access and use it.

Go through the 'pinned' topics at the beginning of this forum for suggestions on protecting and cleaning your computer.

Hi Danny123, welcome to DaniWeb :D

Please read this to help prevent further infections:
http://www.daniweb.com/techtalkforums/thread27519.html

And then follow the instructions in post #6 in this thread:
http://www.daniweb.com/techtalkforums/thread28196.html

You should read this thread to help prevent further intrusions:
http://www.daniweb.com/techtalkforums/thread27519.html

Then follow the advice here to get HijackThis in a safe folder:
http://www.daniweb.com/techtalkforums/thread28196.html

And follow the recommendations here to clean up some of your problems (after HijackThis has been moved out of the Temp folder!):
http://www.daniweb.com/techtalkforums/thread27570.html

Go to post #6 in this thread and follow the instructions:
http://www.daniweb.com/techtalkforums/thread28196.html

After that, close any open browser windows, scan with HijackThis, and post a new log, along with the Ewido log, so any remaining items can be dealt with.

You still have Aurora :(

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Then go to post #5 in this thread and follow the instructions carefully:
http://www.daniweb.com/techtalkforums/thread28196.html

When you've completed that, go to post #6 in the same thread and follow the instructions there as well.

In addition to the entries suggested to be fixed with Hijackthis in thoses posts, include these:

O4 - HKLM\..\Run: [rebdzp] c:\windows\system32\ayxakb.exe r
O4 - HKCU\..\Run: [Issfjgus] C:\WINDOWS\system32\W?nSxS\arpa.exe

I don't really see anything bad in your log, but I do have a couple of suggestions --

Check this thread to help make sure your system is clean:
http://www.daniweb.com/techtalkforums/thread27570.html

Also, you may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:
"CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it."

I don't see anything else in your log, are you still having problems?

Please follow the recommendations in Part II of the first post in the following thread, and then follow the instructions in post #4 of the same thread:
http://www.daniweb.com/techtalkforums/showthread.php?p=141971#post141971

Do a search for the following files and delete any instances found:

Win.exe
Win32.exe

Empty your Recycle Bin and reboot.

Then post a new HijackThis log to clean up any remaining items.

Uninstall Messenger Plus as it comes bundled with LOP. You can reinstall Messenger Plus without the sponsor.

Go to Add/Remove Programs in your Control Panel and remove (if present):

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer

You may be given a code to insert, do so and reboot when done.

If none of these are listed, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

Reboot , close any open browser windows, scan with HJT, and post a log to verify your system is clean.

1.) Isn't that a bit expensive?
2.) You should have HJT fix that entry since you no longer use that service.
4/5.) As you know, AntiVir is your antivirus program; I only had you fix that entry because it was a 'Temp' file, but apparently AntiVir needs it. Do you still get the message after the O23 entry returned?
6.) Try this --

Go to Add/Remove Programs in your Control Panel and remove (if present):

Window Search
Window Searching
Lop.com
LOP SEARCH
Browser Enhancer
Ultimate Browser Enhancer

You may be given a code to insert, do so and reboot when done.

If none of these are listed, run the Lop Remover from:
http://www.thespykiller.co.uk/downloads.htm

Then, reboot into Safe Mode, scan with HJT, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.1access.net/search.htm
O17 - HKLM\Software\..\Telephony: DomainName = addressisp.com

Reboot normally, close any open browser windows, scan with HJT, and post a new log please.

Please follow the recommendations in Part II of the first post in the following thread, and then follow the instructions in post #5 of the same thread:
http://www.daniweb.com/techtalkforums/showthread.php?p=141971#post141971

Then post a new HijackThis log to clean up any remaining items.

Hi engine-cadet, welcome to DaniWeb :D

Please follow the suggestions in these threads:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

Then close any open browser windows, scan with hijackthis, and post a new log please.

Hi Sharon, welcome to DaniWeb :D

Please follow the suggestions in these threads:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

Ok, I did that, but how do I know if it worked?

I also DLed HJT b/c when I got a new computer 6 months ago it was lost.

Should I run it & send you the code?

I don't even remember how after all this time LOL

Thanks

Michelle

That would probably help; make sure you have the latest version of HijackThis (1.99.1).

Close any open browser windows, press the Scan and save log button, and then copy the contents of the log that comes up and paste it here.

This post covers the removal of:

About:blank
CoolWebSearch
CoolWwwSearch
Home Search Assistant
Search Extender
Shopping Assistant
Shopping Wizard
White-Pages.ws
YouFindAll

You will need to disconnect from the internet, so you may wish to print these instructions.

Download, install, and update these utilities, and then close the programs (don't scan yet):

Ewido Security Suite (XP users only) -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.besttechie.net/tools/AboutBuster.zip
HSRemove (XP users only) -- http://www.majorgeeks.com/download4286.html
Sp.html-Se.dll Hijack Fix (Windows 2000 & XP only) -- http://www.majorgeeks.com/Sp.html-Se.dll_Hijack_Fix_2000XP_d4617.html
or
SpSeHjfix -- http://www.derbilk.de/SpSeHjfix112.zip (save it to the Desktop, and then right-click in a blank area of Desktop, select New, Folder, and name it spfix; unzip the file into that folder.

Disconnect from the net and reboot into Safe Mode.

Now run the utilities:

about:Buster

HSRemove

Sp.html-Se.dll Hijack Fix or SpSeHjfix (click on Start Disinfection. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder. Note: if it doesn't find any of the SE files or any hidden reinstallers, it will say System clean and not go on to next stage).

CWShredder

Ewido; during the scan it will prompt you to clean files, click OK (note: you will be posting the log from this scan later).

Scan with HijackThis …

This fix should work for the Aurora / Nail infection.

You will need to be disconnecting from the internet, so you may wish to print these instructions.

If you don’t already have HijackThis, please download the self-extracting version of it from here (in line 2):
http://www.malwareremoval.com/downloads.html

Download Ewido Security Suite from here (XP users only):
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install and update it, and then close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Open the Services utility in your Administrative Tools control panel.

- In the list of services, locate the service named System Startup Service or SvcProc and double-click on it.

- In the General tab of the Properties window that opens, click the Stop button.

- Once the service is stopped, choose Disabled in the Startup Type drop-down menu and then click OK. Close the Services utility.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido; during the scan it will prompt you to clean files, click OK. (note: you will be posting the log from this scan when back in normal mode).

Still in Safe Mode, Double-click on …

Here is a comparison of just about every AV program there is:

http://www.virusbtn.com/library/files/4pg_reprint.pdf

(AntiVir is listed as H+BEDV AntiVir)

Ratings are based on speed and effectiveness, not usability, support, etc.

The best-rated antivirus program is Nod32, you can do a search on the web for ratings and opinions on it.

Here is a link to an AV discussion here at DaniWeb:

http://www.daniweb.com/techtalkforums/thread22271-nod32.html

This may be helpful as well:

http://www.daniweb.com/techtalkforums/thread27519-nod32.html

I'm not familiar with AnitVir, but the users here seem to like it:

http://www.download.com/AntiVir-Personal-Edition/3640-2239_4-10322934.html?tag=lst-0-1

But what's more important is your satisfaction, and it doesn't sound like you're very happy with the product or it's support.

Do you use NetZero or AOL?

Do you know anything about this website?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.1access.net/search.htm

Scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Lin...204&clcid=0x409
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/...34/sdcregie.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/e...oach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - http://tools.ebayimg.com/eps/wl/act...ol_v1-0-3-9.cab
O16 - DPF: {5296F90C-A8D0-4849-A430-F9B6803EDBD4} - http://dl.netzero.net/pub/netzero/q...t/oci/oci_n.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/21dc11b...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
If this Domain name is not related to your ISP, have HJT fix this O17 entry as well --
O17 - HKLM\Software\..\Telephony: DomainName = addressisp.com
O23 - Service: AntiVir Update Temp (TmpUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\DOCUME~1\JEFF\LOCALS~1\TEMP\_VWUPSRV.EXE

Close any open windows, other then HijackThis, before hitting Fix checked.

Reboot, close any open browser windows, scan with HijackThis, and post a new log please.

They've done the same for Weatherbug, which is why I prefer to recommend CounterSpy rather then MS's Antispyware.

From a prior post of mine:

How many ‘vendors’ can ‘convince’ Microsoft to allow their adware/spyware? Some interesting articles can be found at the following websites (a paragraph or two from each one immediately follows the link):

http://www.techdirt.com/articles/20050110/0044223_F.shtml
“While certain adware companies have been looking to bribe anti-spyware companies into taking them off the list, Broadband Reports wondered how Microsoft would respond to such an approach. Already, the company faced just such a question, as the anti-spyware software identifies Weatherbug as a possible threat. Weatherbug, of course, used to be a big adware provider, but claims that they've reformed from their earlier ways and no longer do such things. As such, they were peeved about the classification -- even if it's described as a small threat. Microsoft quickly backed down and agreed to remove Weatherbug from the list.

http://www.eweek.com/article2/0,1759,1749409,00.asp
“A Microsoft spokeswoman said the beta product included a vendor dispute-resolution mechanism to deal with complaints from third-party companies.

In the case of WeatherBug, the dispute-resolution process paid immediate dividends. On Friday, the company received a response from Microsoft with the good news that the current signatures for Minibug will be removed.

This fix may work for any of the following infestations:
Cassandra
Desktophijack
Error Message 317
HotOffers
Joke.Smitfraudoid
NEWGENLOOK
SmitFraud
Specialgoods
Searchmiracle

In order to view some of the files and folders mentioned here, you will need to set your system to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Download, install, update, and run CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix any R0 or R1 entries similar to this:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
(hotoffers may …

Scan with HiJackThis and look for a line similar to this:

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load

Place a check in the box to the left, click Fix checked, and see if that resolves the issue.

If the entry is also in an 02 line of the
HhijackThis log, you may need to go to C:\WINDOWS\system32 & delete the file manually as well. At the least, go there to see if it is still there.
___________________________________________________________

BEFORE POSTING A HiJackThis LOG, PLEASE REVIEW THE FOLLOWING LINK:

http://www.2-spyware.com/file-bridge-dll.html

Bridge.dll is related to WinFavorites, which apparently is spyware. The above link tells you exactly what to do to resolve the issue. If this doesn't fix your problem, THEN AND ONLY THEN should you ask for help. Also, you should only post an HJT log if asked for one.

HiJackThis is an excellent tool, but only in the hands of a user skilled enough to interpret the results. It is unfair just to post an HJT log and basically say, "fix it!". These posts don't contribute anything to the community we're trying to build here, and it indicates a lack of initiative on the part of the original poster, basically showing that the user isn't interested in learning anything, only having their problem fixed. That's not the type of user we want to foster here...

(Link to original post -- http://www.daniweb.com/techtalkforums/thread7370-bridge.dll+before.html)

The problem:

Windows XP and ME have a tool called System Restore, which works by making automatic scheduled backups ("restore points") of critical Windows components, including the registry. That way, if your system becomes corrupted you can ideally "roll back" to a previous, working configuration. The backup files for these restore points are kept in the C:\System Volume Information\_restore folder, which is a hidden system folder.

Unfortunately, if your system is already infected at the time when Windows takes a given restore "snapshot," the infected files get backed up along with everything else. Obviously, this also means that the infections will be reinstalled with everything else if you choose to restore from that snapshot point.

Because the Restore folder is a protected system folder, most anti-virus and anti-spyware programs don't have permission to delete the infected files stored there. To erase the contents of the _restore folder, you need to turn off the System Restore function. When you turn off System Restore, Windows will automatically delete the contents of the _restore folder.

Note that because disabling System Restore deletes all data in the restore folder, you'll want to re-enable System Restore once you're sure that your system is clean.

The Fix

For Windows XP:

Disable System Restore

1. Log in as a user with Administrator privileges.

2. Right-click on the My Computer icon on your desktop and choose the "Properties" option.

3. In the System Properties window, click …

If you’ve followed the suggestions in the Protection and Cleaning threads, and are still having problems, you most likely have an infection that will take some specialized tools and/or processes to remove.

Before requesting assistance, it would be helpful for you to read How To Ask Questions The Smart Way - http://www.catb.org/~esr/faqs/smart-questions.html

The primary tool you will need to begin removing infections is HijackThis --

HijackThis (aka HJT)

WARNING -- We ask that all members who use the advice given here to be prudent before deleting any files by backing up their data. There may be occasion when, unfortunately, the wrong advice is inadvertantly given. Hijackthis is a very powerful tool and must be used with wisdom. If there is anything you are uncertain about, search Google for information while waiting for a response from our members here. Assistance is offered in good faith and should be received in good faith. It's a wise person who makes sure their data is backed up safely before diving deep into the heart of their Operating System, and that's exactly what HijackThis does. Remember we're all here to help and not everybody is an expert. And even the experts don't necessarily get it all right all the time. A little wrong move, a bit of bad luck, and your system might stop working altogether! It doesn't happen often but it's YOUR job to be ready in case it does.*

You can get a self-extracting version of HijackThis from here (in line …

Hi Robert, welcome to DaniWeb :D

Please follow the recommendations in these threads to help protect and start the cleanup process of your system, and to locate HijackThis in an appropriate folder:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

http://www.daniweb.com/techtalkforums/thread24085.html

Download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html

After you've followed the above suggestions, close any open browser windows, scan with HijackThis, and post a new log please.

I have yet to locate an affordable data recovery service. As long as you can access the drive, this utility should work. Keep in mind some of the files may have become corrupted:

http://www.snapfiles.com/get/restoration.html

If it's critical data, you may need to spend the couple thousand to get it back.

When you have the current updates, your HJT log will show entries like these:
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Your log still shows that you don't have the Critical Updates you should. On an upatched system, infections are very likely to return.

Get Ewido from here:
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1, but don't scan with it yet.

Reboot into Safe Mode.

Scan with Ewido, allowing it to clean whatever it finds (note: you will be posting the log from this scan in your next reply).

Still in Safe Mode, scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=G:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4EFF303A-9F81-C092-2E28-03548849D849} - (no file)
O4 - HKLM\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKLM\..\RunServices: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O4 - HKCU\..\Run: [Lov4RjGFj] rcims.exe
O4 - HKCU\..\Run: [VID INTERNET WEB DRIVERS FOR WIN32] phqghu.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1121341222278
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab
If the following IP addresses are not related to your ISP, have HJT fix this entry as well --
O17 - HKLM\System\CCS\Services\Tcpip\..\{525A457A-79D0-4A58-B9F0-6327978E942B}: NameServer = 209.43.75.190 206.246.140.14
O23 - Service: Windows lsass Service (lsass) - Unknown owner - G:\WINDOWS\lsass.exe

Glad we could help. Be careful how you use your computer, especially your work computer! You don't need to be getting fired over something stupid like this.

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Navigate to and delete the following subkeys:

HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{145E6FB1-1256-44ED-A336-8BBA43373BE6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{1D27320E-2DA2-41E2-A103-B5FD9D6A798B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{B599C57E-113A-4488-A5E9-BC552C4F1152}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{D56A1203-1452-EBA1-7294-EE3377770000}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Interface
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Typelib
\{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL
HKEY_LOCAL_MACHINE\Software\Classes\Serch_hook.transURL.1
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database
\Distribution Units\{11120607-1001-1111-1000-110199901123}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
\Extensions\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Uninstall\Internet Connection Update and HomeP KB234087
HKEY_USERS\Software\Microsoft\Internet Explorer\Extensions
\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{081669BA-EFC4-48C2-A8F4-874052D02553}
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion
\Policies\System

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, and in the right pane, delete the value: "WindowsFY" = "C:\wp.exe"

Navigate to the subkey HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version
\Explorer\SharedTaskScheduler, and in the right pane, delete the value: "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"

Navigate to the subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks, and in the right pane, delete the value: "{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70}" = ""

Exit the Registry Editor.

Please read this thread:
http://www.daniweb.com/techtalkforums/thread27519.html

Please go here to get the Critical Updates for your system:
http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

Download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html

Then post a new HJT log to cleanup the remaining items.

According to your HijackThis log, you don't have any Windows Updates at all.

Yes there are things that should be fixed in your HJT log, but it needs to be in its own permanent folder first -- so that it, and the backups it will create, will not be deleted during the cleanup process.

In order to view some of the files and folders mentioned here, you will need to set your system to show hidden files and folders. Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Reboot into Safe Mode.

Do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Scan with hijackthis, and have it fix this entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/

Empty your Recycle Bin and reboot normally.

Delete any unwanted icons from your desktop and empty your Recycle Bin.

Close any open browser windows, scan with HijackThis, and post a new log please.

PC seems fine now. HC did the trick - Is their virus software worth buying?

If you're looking for the best antivirus, I would recommend Nod32; I don't think it costs any more then the others. You can do a search here on DaniWeb, or on the net, for other opinions and comparisions.

By the way I am looking at building a new PC, what motherboard would you recommend for around 100 to 150 euros? and should I go for AMD or Pentium? (Iwould like at least 2.5 gig)

There will probably be a lot of varying opinions on MB's and CPU's, you may find what you're looking for in the Hardware section (http://www.daniweb.com/techtalkforums/forum7.html). If not, post your own question there. If I were building a PC, I would probably get an ASUS MB and Pentium CPU, but that's just me.

Happy to hear your PC is working properly again :)

Please follow these instructions (from the first link above):
"3.) Updates

Get the Critical Updates for Windows using Windows Update (it should be in your Start menu). If your OS is Windows XP, and you do not currently have SP2, don’t get it, at least until your system has been verified as clean. You must have a least SP1 installed, if you don’t currently have any XP updates, get SP1a. If you do not have your PC set to check for updates automatically, check manually at least weekly.

Get the Critical Updates for Internet Explorer using Windows Update (open IE, click on Tools, and then Windows Update). You need to have the latest version of Internet Explorer, which is currently version 6 (IE6). If you do not already have SP2, do not get it, at least until your system has been verified as clean. You must have a least SP1 installed; if you don’t currently have any IE updates, get SP1a."

Then follow the instructions in this thread:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved HijackThis, close any open browser windows, scan with HJT, and post a new log please.

Please follow the instructions in this thread:
http://www.daniweb.com/techtalkforums/thread13362.html

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Boot into Safe Mode and do a search for lqfax12n.dll, and delete any instances found.

If any could not be deleted, run Pocket Killbox and paste the full file path in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\system32\lqfax12n.dll)

Empty your Recycle Bin, reboot normally, and search for the file again to make sure it's gone.

Then, right-click in an open area of your desktop, select New, Folder; give the new folder a name (something like HJT or HijackThis), and drag the hijackthis.exe icon that is on your desktop into the new folder.

Close any open browser windows, scan with HJT, and post a new log please.

Open NotePad (or WordPad), copy the contents of the 'Code' below , and paste it into NotePad:

cd System32
attrib -s -r -h MSplg7.dll
del MSplg7.dll

Go to File, Save As and type the filename as Remove.bat, save it to your Desktop, and then close NotePad.

Reboot into Safe Mode.

Scan with Hijackthis and have it fix the following entry:

O20 - Winlogon Notify: f3dsl - C:\WINDOWS\SYSTEM32\MSplg7.dll

Close any open windows and hit Fix checked.

Double-click on the file Remove.bat, and a DOS-type window should open and close quickly, this is normal. (If the window does not close by itslef, you can close it after few seconds.)

Go to C:\WINDOWS\SYSTEM32 and delete MSplg7.dll.

Do a search for MSplg7.dll and delete any instances found.

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with HJT, and post a new log please.

Svchost.exe is a part of Windows and it's not unusual to see several entries in an HJT log. There is also a worm that uses this file, but you don't have it -- http://www.processlibrary.com/directory/files/svchost/

Nvsvc32.exe is from NVIDIA Corporation, it's your graphics card -- http://www.processlibrary.com/directory/files/nvsvc32/

I don't see anything else in your log, are you still having problems? If so, please give us specific details.

Check this thread:
http://www.daniweb.com/techtalkforums/thread27924.html

Slightly different problem, but the same fixes should be tried. There is also a link to reinstalling IE.

Hi msenli, welcome to DaniWeb :D

Please follow the recommendations in these threads to help protect, and start the cleanup process, of your system:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

Then, close any open browser windows, scan with HijackThis, and post a new log.

Hi Cassorangeiroc, welcome to DaniWeb :D

Before delving into your HijackThis log, please follow the recommendations in these threads to help protect, and start the cleanup process, of your system:

http://www.daniweb.com/techtalkforums/thread27519.html

http://www.daniweb.com/techtalkforums/thread27570.html

Then, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html

After you've completed that, close any open browser windows, scan with HijackThis, and post a new log.