Skip to main content

Midnight Star

4.8K Posts

February 8th, 2005 20:00

lambness,

Let's see what we can do...


Go to www.trendmicro.com, and then:

1. Click " Free Online Scan".
2. Click " Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.


Reboot your computer into "Safe Mode".


Download, unzip to your desktop CWShredder and run it, then:

1. Click " Check For Update"

( If an update isn't available, skip to step #4.)

2. Click " Click here to Download the upate".
3. When the new version has been downloaded, click " Save".

4. Click " Fix ->"


Download, unzip to your desktop About:Buster and run it, then:

1. Click " Update".
2. Click " Check For Update"

( If no new version is available, skip to step #4.)

3. Click " Download Update", and wait for it to be installed.
4. Click " Start".

( Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

( Wait for the about:blank scan to complete.)

6. Click " Ok", to scan once more.
7. Click " Yes", to shutdown any IE sessions currently open.
8. Click " Yes", to begin the second pass.

9. Click " Save log", and post this log back along with your new log.
10. Click " Exit".
11. Click " Exit".


Reboot your computer normally.


Go to Add/Remove programs and remove(uninstall) the following, if present:

TIBS

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.


Run HiJackThis then:

1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"

-

Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:

C:\WINDOWS\system32\ielt.exe
C:\WINDOWS\System32\audiosrv.exe
C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\WINDOWS\system32\mslh.exe

Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.


Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u ieay32.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.



Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done ' cleaning' off your system, we're going to ' flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the " Backups" folder, for HiJackThis, if present.


Run HiJackThis and click " Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mpujk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mpujk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mpujk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mpujk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mpujk.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mpujk.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1FA74F44-BE14-6F79-094E-4760D87A1B13} - C:\WINDOWS\system32\ieay32.dll

O4 - HKLM\..\Run: [2nTNYHE] C:\documents and settings\arlo\local settings\temp\2nTNYHE.exe
O4 - HKLM\..\Run: [H2GnWta] C:\documents and settings\arlo\local settings\temp\H2GnWta.exe
O4 - HKLM\..\Run: [e80c19c28c15] C:\WINDOWS\System32\audiosrv.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [mslh.exe] C:\WINDOWS\system32\mslh.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\RunOnce: [ielt.exe] C:\WINDOWS\system32\ielt.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17b986f3ec36dc4a1c02/netzip/RdxIE601.cab

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\iebd32.exe (file missing)


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\WINDOWS\System32\wsxsvc
C:\WINDOWS\System32\vmss

files...

C:\WINDOWS\system32\ielt.exe
C:\WINDOWS\System32\audiosrv.exe
C:\WINDOWS\system32\mslh.exe
C:\WINDOWS\mpujk.dll
C:\WINDOWS\system32\ieay32.dll
C:\documents and settings\arlo\local settings\temp\2nTNYHE.exe
C:\documents and settings\arlo\local settings\temp\H2GnWta.exe
C:\WINDOWS\System32\tibs5.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Post back a new log.

-

Mike.

Was this post helpful?

View All

No Events found!

Top