Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

gpbob

9 Posts

1628

April 11th, 2006 13:00

HJT log file

I have been infected with malware DLSearchBar.  My sypware removal program cannot quarntine nor remove it.  I have run HJT and the log file is attached.  Help please.
 
Logfile of HijackThis v1.99.1
Scan saved at 10:06:03 AM, on 4/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert Hinkle\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=www.worldnet.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll (file missing)
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.worldnet.att.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132512648453
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
 

ALgal

1.2K Posts

April 12th, 2006 00:00

Hello gpbob,

Please do the following:

STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here

  • Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)
  • Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
  • Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
  • When the sweep has finished, click Remove. Click Select All and then Next
  • From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
  • Exit Spy Sweeper.



STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:

  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Disable Microsoft Windows Defender:
We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Do this fix unless you or system administrator set the policy here;
Open HijackThis. Place a check against each of the following:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
After you check these items, close all browsers and windows, except for HijackThis, then click on the Fix Checked

Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido and a new hijackthis log.

gpbob

9 Posts

April 14th, 2006 00:00

To ALGal, I have followed your suggestions and have the logs but when I try to past them to this reply I get a response that there is a 20000 character limit.  Even when I try to post only one log.
 
How do I do this?
 
gpbob+

ALgal

1.2K Posts

April 14th, 2006 01:00

Can you split up the logs and post several times?

gpbob

9 Posts

April 14th, 2006 19:00

Here is the Ewido scan log

---------------------------------------------------------

 ewido anti-malware - Scan report

---------------------------------------------------------

 

 + Created on:                7:20:55 PM, 4/12/2006

 + Report-Checksum:           82333A76

 

 + Scan result:

 

     HKU\S-1-5-21-2650805779-1449655655-3289834387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{27150F81-0877-42E9-AF13-55E5A3439A26} -> Adware.Generic : Cleaned with backup

     HKU\S-1-5-21-2650805779-1449655655-3289834387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} -> Adware.Generic : Cleaned with backup

     HKU\S-1-5-21-2650805779-1449655655-3289834387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{27150F81-0877-42E9-AF13-55E5A3439A26} -> Adware.Generic : Cleaned with backup

     HKU\S-1-5-21-2650805779-1449655655-3289834387-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0103CD4-D1CE-411A-B75B-4FEC072867F4} -> Trojan.Puper.ac : Cleaned with backup

     C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqAC.tmp\ld2B53.tmp -> Downloader.Zlob.dd : Cleaned with backup

     C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqAC.tmp\ld2FA7.tmp -> Not-A-Virus.Hoax.Win32.Renos.ar : Cleaned with backup

     C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqAC.tmp\ld686D.tmp -> Not-A-Virus.Hoax.Win32.Renos.ar : Cleaned with backup

     C:\Documents and Settings\All Users\Application Data\Authentium\Curtains150\Quarantine\Quarantine\ppqAC.tmp\ldDD51.tmp -> Not-A-Virus.Hoax.Win32.Renos.ar : Cleaned with backup

     C:\Documents and Settings\Doris Hinkle\Local Settings\Temporary Internet Files\Content.IE5\20HU3RBA\gdnUS2332[1].exe -> Downloader.Small.ayl : Cleaned with backup

     C:\Documents and Settings\Robert Hinkle\Cookies\robert hinkle@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup

     C:\info6_s.cab/Information.exe -> Trojan.Dialer.t : Error during cleaning

     C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP91\A0016068.exe -> Downloader.Agent.td : Cleaned with backup

     C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP91\A0016069.INI:srtvu -> Downloader.Agent.td : Cleaned with backup

     C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP91\A0016071.INI:srtvu -> Downloader.Agent.td : Cleaned with backup

     C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP91\A0016073.INI:srtvu -> Downloader.Agent.td : Cleaned with backup

     C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP91\A0016074.INI:srtvu -> Downloader.Agent.td : Cleaned with backup

     C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP91\A0016075.INI:srtvu -> Downloader.Agent.td : Cleaned with backup

     C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP91\A0016078.dll -> Downloader.Agent.bc : Cleaned with backup

     C:\WINDOWS\IIS6.LOG:ysznj -> Downloader.Agent.bc : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp13D1.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp1529.tmp -> Downloader.Zlob.dr : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp159E.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp196E.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp19BF.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp1DC8.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp1F29.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp21B2.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp2361.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp28A9.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp29AB.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp29CE.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp2BDD.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp2D2B.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp2EB2.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp38CB.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp38FD.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp3B24.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp409E.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp45B4.tmp -> Downloader.Zlob.eo : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp464B.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp48D8.tmp -> Downloader.Zlob.dr : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp4F34.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp5.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp501D.tmp -> Downloader.Zlob.dx : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp50AB.tmp -> Downloader.Zlob.eo : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp538B.tmp -> Hijacker.StartPage.ahb : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp552F.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp5B03.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp5BC7.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp644B.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp6522.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp6B04.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp6B56.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp6C86.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp6CFD.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp7282.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp74E8.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp7A4B.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp8027.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp87C9.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp93C9.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp93E4.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp985D.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp9AC4.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hp9BBF.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpA038.tmp -> Downloader.Zlob.eo : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpA525.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpA538.tmp -> Downloader.Zlob.eo : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpA676.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpAE36.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpAEA7.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpB139.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpB1B9.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpB2C5.tmp -> Downloader.Zlob.eo : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpB5BC.tmp -> Downloader.Zlob.eo : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpB7A8.tmp -> Downloader.Zlob.eo : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpBA05.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpBCB7.tmp -> Downloader.Zlob.ex : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpC2DA.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpC6D2.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpC701.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpC8ED.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpC95F.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpCC3.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpD236.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpD29C.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpD6D8.tmp -> Downloader.Zlob.dr : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpD731.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpDD6.tmp -> Hijacker.StartPage.ahb : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpDEDE.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpE246.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpE6D1.tmp -> Downloader.Zlob.ek : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpE9E2.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpEC5F.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpEE5.tmp -> Downloader.Zlob.fh : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpF157.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpF263.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpF439.tmp -> Hijacker.StartPage.ahb : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpF817.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpF982.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpFC62.tmp -> Downloader.Zlob.eu : Cleaned with backup

     C:\WINDOWS\SYSTEM32\hpFD90.tmp -> Downloader.Zlob.ek : Cleaned with backup

 

 

::Report End

 

gpbob

9 Posts

April 14th, 2006 19:00

Here is part I of the Spy Sweeper log.

4:20 PM: |       Start of Session, Wednesday, April 12, 2006       |

4:20 PM: Spy Sweeper started

4:20 PM: Sweep initiated using definitions version 655

4:20 PM: Starting Memory Sweep

4:30 PM: Memory Sweep Complete, Elapsed Time: 00:10:11

4:30 PM: Starting Registry Sweep

4:31 PM:   Found Trojan Horse: msblast

4:31 PM:   HKLM\software\microsoft\windows\currentversion\run\ || windows auto update (ID = 135297)

4:31 PM:   Found Adware: mit toolbar

4:31 PM:   HKCR\typelib\{159c2e41-9823-11d2-8ddc-d84a1b4acd4d}\  (9 subtraces) (ID = 1017159)

4:31 PM:   HKLM\software\classes\typelib\{159c2e41-9823-11d2-8ddc-d84a1b4acd4d}\  (9 subtraces) (ID = 1017218)

4:31 PM:   Found Adware: spyaxe fakealert

4:31 PM:   HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {a2c8f6b1-7c2a-3d1c-a3c6-a1fda113b43f} (ID = 1099807)

4:31 PM:   Found Adware: popuper

4:31 PM:   HKCR\clsid\{27150f81-0877-42e9-af13-55e5a3439a26}\  (4 subtraces) (ID = 1109632)

4:31 PM:   HKLM\software\classes\clsid\{27150f81-0877-42e9-af13-55e5a3439a26}\  (4 subtraces) (ID = 1109634)

4:31 PM:   Found Adware: cws-aboutblank

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-501\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)

4:31 PM:   Found Adware: cws sp.html hijack

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-501\software\microsoft\internet explorer\main\ || search bar (ID = 123743)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-501\software\microsoft\internet explorer\main\ || search page (ID = 123744)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-501\software\microsoft\internet explorer\search\ || searchassistant (ID = 123750)

4:31 PM:   Found Adware: hotsurprise

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-501\software\netscape\netscape navigator\user trusted external applications\ || c:\program files\pvm\dialers\hotsurprise\hotsurprise.exe (ID = 938181)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-500\software\netscape\netscape navigator\user trusted external applications\ || c:\program files\pvm\dialers\hotsurprise\hotsurprise.exe (ID = 938181)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1008\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1008\software\microsoft\internet explorer\main\ || search bar (ID = 123743)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1008\software\microsoft\internet explorer\main\ || search page (ID = 123744)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1008\software\microsoft\internet explorer\search\ || searchassistant (ID = 123750)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1008\software\netscape\netscape navigator\user trusted external applications\ || c:\program files\pvm\dialers\hotsurprise\hotsurprise.exe (ID = 938181)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1007\software\microsoft\internet explorer\main\ || homeoldsp (ID = 115923)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1007\software\microsoft\internet explorer\main\ || search bar (ID = 123743)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1007\software\microsoft\internet explorer\main\ || search page (ID = 123744)

4:31 PM:   HKU\WRSS_Profile_S-1-5-21-2650805779-1449655655-3289834387-1007\software\microsoft\internet explorer\search\ || searchassistant (ID = 123750)

4:31 PM:   HKU\S-1-5-21-2650805779-1449655655-3289834387-1006\software\classes\clsid\{a2c8f6b1-7c2a-3d1c-a3c6-a1fda113b43f}\  (3 subtraces) (ID = 1098842)

4:32 PM: Registry Sweep Complete, Elapsed Time:00:01:18

4:32 PM: Starting Cookie Sweep

4:32 PM:   Found Spy Cookie: yieldmanager cookie

4:32 PM:   robert hinkle@ad.yieldmanager[2].txt (ID = 3751)

4:32 PM:   Found Spy Cookie: specificclick.com cookie

4:32 PM:   robert hinkle@adopt.specificclick[1].txt (ID = 3400)

4:32 PM:   Found Spy Cookie: overture cookie

4:32 PM:   robert hinkle@data2.perf.overture[2].txt (ID = 3106)

4:32 PM:   Found Spy Cookie: go.com cookie

4:32 PM:   robert hinkle@espn.go[2].txt (ID = 2729)

4:32 PM:   robert hinkle@go[2].txt (ID = 2728)

4:32 PM:   Found Spy Cookie: classmates cookie

4:32 PM:   robert hinkle@lists.classmates[1].txt (ID = 2385)

4:32 PM:   Found Spy Cookie: webtrends cookie

4:32 PM:   robert hinkle@m.webtrends[2].txt (ID = 3669)

4:32 PM:   robert hinkle@perf.overture[1].txt (ID = 3106)

4:32 PM:   robert hinkle@rsi.espn.go[1].txt (ID = 2729)

4:32 PM:   Found Spy Cookie: seeq cookie

4:32 PM:   robert hinkle@seeq[1].txt (ID = 3331)

4:32 PM:   robert hinkle@sports.espn.go[2].txt (ID = 2729)

4:32 PM:   robert hinkle@www48.seeq[1].txt (ID = 3332)

4:32 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01

4:32 PM: Starting File Sweep

4:32 PM:   Found Adware: internetoptimizer

4:32 PM:   c:\windows\stwsi (ID = -2147480829)

4:33 PM:   Found Adware: cws_tiny0

4:33 PM:   photosuite(3).ini:hqidys (ID = 219918)

4:43 PM:   kb867282.log:qaqtg (ID = 219918)

4:46 PM:   photosuite(4).ini:hqidys (ID = 219918)

5:05 PM:   sdkvw32.dll (ID = 219918)

5:08 PM:   photosuite(6).ini:hqidys (ID = 219918)

5:10 PM:   Found Adware: spysheriff fakealert

5:10 PM:   secure32.html (ID = 184319)

5:14 PM:   photosuite(2).ini:hqidys (ID = 219918)

5:15 PM:   protocol(2).ini:srtvu (ID = 200)

5:15 PM:   kb893066.log:oehpn (ID = 200)

5:16 PM:   h91746.exe (ID = 236055)

5:16 PM:   protocol(3).ini:srtvu (ID = 200)

5:16 PM:   protocol(4).ini:srtvu (ID = 200)

5:16 PM:   oobeact.log:hlfasu (ID = 200)

5:17 PM:   smscfg(2).ini:xawixu (ID = 200)

5:17 PM:   protocol(5).ini:srtvu (ID = 200)

5:18 PM:   smscfg(3).ini:xawixu (ID = 200)

5:18 PM:   protocol(6).ini:srtvu (ID = 200)

5:27 PM:   101 (ID = 235283)

5:32 PM:   addip32(2).exe (ID = 200)

5:39 PM:   Found Adware: coolwebsearch (cws)

 

gpbob

9 Posts

April 14th, 2006 19:00

Here is the final part of the Spy Sweeper log.
 

5:39 PM:   ab scissor.url (ID = 130666)

5:39 PM:   broadband comparison.url (ID = 130667)

5:39 PM:   credit counseling.url (ID = 130668)

5:39 PM:   credit report.url (ID = 130669)

5:39 PM:   crm software.url (ID = 130670)

5:39 PM:   debt credit card.url (ID = 130671)

5:39 PM:   escorts.url (ID = 130672)

5:39 PM:   fha.url (ID = 130673)

5:39 PM:   health insurance.url (ID = 130674)

5:39 PM:   help desk software.url (ID = 130675)

5:39 PM:   insurance home.url (ID = 130676)

5:39 PM:   loan for debt consolidation.url (ID = 130677)

5:39 PM:   loan for people with bad credit.url (ID = 130678)

5:39 PM:   marketing email.url (ID = 130679)

5:39 PM:   mortgage insurance.url (ID = 130680)

5:39 PM:   mortgage life insurance.url (ID = 130681)

5:39 PM:   nevada corporations.url (ID = 130682)

5:39 PM:   online betting site.url (ID = 130683)

5:39 PM:   online gambling casino.url (ID = 130684)

5:39 PM:   online instant loan.url (ID = 130685)

5:39 PM:   order phentermine.url (ID = 130686)

5:39 PM:   payroll advance.url (ID = 130687)

5:39 PM:   personal loans online.url (ID = 130688)

5:39 PM:   personal loans with bad credit.url (ID = 130689)

5:39 PM:   prescription drugs rx online.url (ID = 130690)

5:39 PM:   refinancing my mortgage.url (ID = 130691)

5:39 PM:   tahoe vacation rental.url (ID = 130692)

5:39 PM:   unsecured bad credit loans.url (ID = 130693)

5:39 PM:   videos.url (ID = 130694)

5:39 PM:   what is hydrocodone.url (ID = 130695)

5:39 PM:   ab scissor.url (ID = 130666)

5:39 PM:   broadband comparison.url (ID = 130667)

5:39 PM:   credit counseling.url (ID = 130668)

5:39 PM:   credit report.url (ID = 130669)

5:39 PM:   crm software.url (ID = 130670)

5:39 PM:   debt credit card.url (ID = 130671)

5:39 PM:   escorts.url (ID = 130672)

5:39 PM:   fha.url (ID = 130673)

5:39 PM:   health insurance.url (ID = 130674)

5:39 PM:   help desk software.url (ID = 130675)

5:39 PM:   insurance home.url (ID = 130676)

5:39 PM:   loan for debt consolidation.url (ID = 130677)

5:39 PM:   loan for people with bad credit.url (ID = 130678)

5:39 PM:   marketing email.url (ID = 130679)

5:39 PM:   mortgage insurance.url (ID = 130680)

5:39 PM:   mortgage life insurance.url (ID = 130681)

5:39 PM:   nevada corporations.url (ID = 130682)

5:39 PM:   online betting site.url (ID = 130683)

5:39 PM:   online gambling casino.url (ID = 130684)

5:39 PM:   online instant loan.url (ID = 130685)

5:39 PM:   order phentermine.url (ID = 130686)

5:39 PM:   payroll advance.url (ID = 130687)

5:39 PM:   personal loans online.url (ID = 130688)

5:39 PM:   personal loans with bad credit.url (ID = 130689)

5:39 PM:   prescription drugs rx online.url (ID = 130690)

5:39 PM:   refinancing my mortgage.url (ID = 130691)

5:40 PM:   tahoe vacation rental.url (ID = 130692)

5:40 PM:   unsecured bad credit loans.url (ID = 130693)            

5:40 PM:   videos.url (ID = 130694)

5:40 PM:   what is hydrocodone.url (ID = 130695)

5:40 PM:   Warning: Unhandled Archive Type

5:40 PM:   Warning: Invalid file - not a PKZip file

5:42 PM:   Warning: Invalid Stream

5:42 PM:   Warning: Invalid file - not a PKZip file

5:42 PM: File Sweep Complete, Elapsed Time: 01:10:09

5:42 PM: Full Sweep has completed.  Elapsed time 01:21:50

5:42 PM: Traces Found: 143

5:59 PM: Removal process initiated

5:59 PM:   Quarantining All Traces: cws-aboutblank

5:59 PM:   Quarantining All Traces: popuper

5:59 PM:   Quarantining All Traces: spysheriff fakealert

5:59 PM:   Quarantining All Traces: coolwebsearch (cws)

5:59 PM:   Quarantining All Traces: cws_tiny0

6:00 PM:   Quarantining All Traces: hotsurprise

6:00 PM:   Quarantining All Traces: internetoptimizer

6:00 PM:   Quarantining All Traces: mit toolbar

6:00 PM:   Quarantining All Traces: msblast

6:00 PM:   Quarantining All Traces: cws sp.html hijack

6:00 PM:   Quarantining All Traces: spyaxe fakealert

6:00 PM:   Quarantining All Traces: classmates cookie

6:00 PM:   Quarantining All Traces: go.com cookie

6:00 PM:   Quarantining All Traces: overture cookie

6:00 PM:   Quarantining All Traces: seeq cookie

6:00 PM:   Quarantining All Traces: specificclick.com cookie

6:00 PM:   Quarantining All Traces: webtrends cookie

6:00 PM:   Quarantining All Traces: yieldmanager cookie

6:02 PM: Removal process completed.  Elapsed time 00:03:03

********

4:17 PM: |       Start of Session, Wednesday, April 12, 2006       |

4:17 PM: Spy Sweeper started

4:18 PM: Your spyware definitions have been updated.

4:20 PM: |       End of Session, Wednesday, April 12, 2006     

gpbob

9 Posts

April 14th, 2006 20:00

Here is the HJT log.
 
Logfile of HijackThis v1.99.1
Scan saved at 4:58:31 PM, on 4/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
c:\program files\cox\applications\app\PRISM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\Robert Hinkle\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=www.worldnet.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\AUserInit.exe
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll (file missing)
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.worldnet.att.net
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/us/win/QuickTimeFullInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132512648453
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/35/install/gtdownde.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

ALgal

1.2K Posts

April 15th, 2006 09:00

Hello gpbob,

Please do the following:

Hello and Welcome to the Forums!

STEP 1.
======
Please read before you disable antispy to fix hijackthis entry. This one entry in hijackthis may or may not need to be fixed.
Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
  • Over to the left click "shields" and uncheck all there.
  • Uncheck" home page shield".
  • Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

Disable Microsoft Windows Defender:
We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings.
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

If you or your administrator set the policy below on purpose or if you used Spybots Home Page and Option Lock down features in the Immunize section of Spybot, do not check to remove!
Scan with HijackThis. Place a check against each of the following:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

STEP 2.
======
Delete Files with Killbox

Download Pocket Killbox from http://www.downloads.subratam.org/KillBox.zip and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\info6_s.cab/Information.exe

In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File
- Now click on the button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the " Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.

STEP 3.
Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.

Copy and paste that information from Kapersky, with another hijackthis log.

Was this post helpful?

View All

No Events found!

Top