Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problem with About: Blank

Started by HankSC , Apr 16 2005 03:16 PM

  • Please log in to reply

#1
HankSC
Posted 16 April 2005 - 03:16 PM

HankSC

    New Member

  • Member
  • Pip
  • 8 posts
Hello,

I am in desperate need of help. I have wasted countless hours and still no luck getting rid of About: Blank.

I followed all your steps in "You Must Read This..." - AdAware SE, CWShredder, Spybot S&D - but it still comes back after reboot or when on-line.

It affects the home page, favorites, extra pop-ups when searching, IE runs automatically on start-up and norton antivirus continues to find files to quarantine - especially if I'm on-line.

Any help would be GREATLY APPRECIATED. Thanks.

Here's the Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:57 PM, on 4/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\IRXFER.EXE
C:\PROGRAM FILES\IOMEGA CD-RW\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\APIED32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\STARFISH\TRUESYNC\TSTOOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO01\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO02\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\HJT2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = 69.61.38.52
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O2 - BHO: Class - {A21EB7C4-13E9-BD64-FCEC-35F1D630907B} - C:\WINDOWS\MSDN32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [APIED32.EXE] C:\WINDOWS\SYSTEM\APIED32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\dllcmd32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro01\Components\QBAgent\qbdagent2001.exe
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro02\Components\QBAgent\qbdagent2002.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.universit...tivexviewer.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://testimg.charl...s/OBXSelect.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://testimg.charl...s/OBXViewer.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...f6ed2/enter.cab
  • 0

Advertisements

#2
OldTimer
Posted 23 April 2005 - 03:22 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hello HankSC. After reviewing your log it appears that you have an about:blank infection. There are many variations of this type of infection so I am going to have you run a special tool that will tell me what variant that you have. Then we will be able to determine the type of fix that is required. Please follow the directions outlined below.
  • Download DLLCompare.
  • Double-click on DllCompare.exe to run the program.
  • Click "Run Locate.com" and it will scan your system for files.
  • Once the scan has finished click "Compare" to compare your files to valid Windows files.
  • Once it has finished comparing click "Make a Log of what was found".
  • Click "Yes" at the View Log file? prompt to view the log.
  • Copy and paste the entire log into this topic.
  • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
  • Click "Exit" to exit DLLCompare.
I will review the log when it comes in.

OT
  • 0

#3
HankSC
Posted 24 April 2005 - 06:19 AM

HankSC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for the reponse OT,

Here's the log file from DLLCompare:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\d3ts.dll Sun Apr 24 2005 8:06:06a A.... 79,397 77.54 K
________________________________________________

1,024 items found: 1,024 files, 0 directories.
Total of file sizes: 183,312,095 bytes 174.82 M

--------------------End log---------------------


Some items to note:

- the program was locking up everytime I pressed "Make a Log of what was found" - tried re-booting, same - closed some programs running in the background (including Norton Anti-virus) and the log completed - I don't know if not having everything runing would affect the results

- once it created the log it found nothing, so I ran it again and this time it showed this one file

Thanks again,

Hank
  • 0

#4
OldTimer
Posted 24 April 2005 - 12:01 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hello again HankSC. Ok, let's get to work. Please print these directions because I'm going to have you boot into Safe Mode at some point. Then, please proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download CleanUp! and install it but do not run it yet. If you have problems getting to the site then download CCleaner and install it, but again, do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = 69.61.38.52
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wjzgl.dll/sp.html#58582
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A21EB7C4-13E9-BD64-FCEC-35F1D630907B} - C:\WINDOWS\MSDN32.DLL
O4 - HKLM\..\Run: [winmain] winmain.exe
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...f6ed2/enter.cab
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\MSDN32.DLL
C:\WINDOWS\system\wjzgl.dll
C:\WINDOWS\SYSTEM\d3ts.dll
winmain.exe (search for this file and delete all instances)
Step #5

If you downloaded CleanUp! the start the program and click the CleanUp! button.

Or, if you downloaded CCleaner then start that program and click the Run Cleaner button (lower right-hand corner).

Step #6

Make sure that all browser windows are closed, start CWShredder and click on the Fix-> button.

Now reboot your computer to finish the fix. Let it reboot normally.

Step #7

OK. Start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
  • 0

#5
HankSC
Posted 24 April 2005 - 07:03 PM

HankSC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Again OT,

Still didn't quite get it - followed all the steps - CleanUp definitely found and deleted some stuff, but about: blank still seems to be around.

Here's the new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 5:04:17 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\D3DK.EXE
C:\WINDOWS\SYSTEM\IPGD32.EXE
C:\WINDOWS\SYSTEM\ATLEI32.EXE
C:\WINDOWS\SYSTEM\D3ZY32.EXE
C:\WINDOWS\SYSTEM\WINHZ.EXE
C:\WINDOWS\APIRC32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\IRXFER.EXE
C:\PROGRAM FILES\IOMEGA CD-RW\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\APIED32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\STARFISH\TRUESYNC\TSTOOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO01\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO02\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\D3DK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\D3ZY32.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\HJT2\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O2 - BHO: Class - {86822A89-02D9-0B3E-41A3-B4335B9F97DB} - C:\WINDOWS\SYSTEM\NETPG32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [APIED32.EXE] C:\WINDOWS\SYSTEM\APIED32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [D3DK.EXE] C:\WINDOWS\D3DK.EXE /s
O4 - HKLM\..\RunServices: [IPGD32.EXE] C:\WINDOWS\SYSTEM\IPGD32.EXE /s
O4 - HKLM\..\RunServices: [ATLEI32.EXE] C:\WINDOWS\SYSTEM\ATLEI32.EXE /s
O4 - HKLM\..\RunServices: [D3ZY32.EXE] C:\WINDOWS\SYSTEM\D3ZY32.EXE /s
O4 - HKLM\..\RunServices: [WINHZ.EXE] C:\WINDOWS\SYSTEM\WINHZ.EXE /s
O4 - HKLM\..\RunServices: [APIRC32.EXE] C:\WINDOWS\APIRC32.EXE /s
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\dllcmd32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro01\Components\QBAgent\qbdagent2001.exe
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro02\Components\QBAgent\qbdagent2002.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.universit...tivexviewer.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://testimg.charl...s/OBXSelect.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://testimg.charl...s/OBXViewer.cab


A couple of items to note (I don't know if they mean anything but here they are anyway):

- CleanUp said that there were two items in use that it could not delete until restart - I didn't restart right then - I waited until after I ran CWShredder - then restarted - It didn't give me any indication whether Cleanup finished deleting the last two files or not

- Another symptom that I didn't mention before - a symbol will appear down in the sys tray that looks like a red shield with an "X" on it and a pop up ballon that says "Your Computer Might be at Risk" and then pops up a window that looks like a microsoft help window that talks about how to "Fight Spyware" Also seperate from this a window occasionally pops up that says "Windows Security Center - Windows Firewall detected suspicious activity....do you want to learn how to protect your computer."

- A file called "Apied32" is running in the background and it seems like it could be related to the problem - but I could be way off

Alright, enough of my input, I'll let you get back to work.

Thanks again,

Hank
  • 0

#6
OldTimer
Posted 24 April 2005 - 11:08 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi HankSC. Let's try a different tool.

Run AboutBuster and save the logs:
  • Download About:Buster.zip and unzip it to its own directory.
  • Browse to where you saved AboutBuster and run AboutBuster.exe.
  • Click "OK" at the directions Read: Important! prompt.
  • Click the Update button to check for updates and install any that are available.
  • Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
  • Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
  • Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
  • Click "Exit" and "Exit" again to exit AboutBuster.
Post the AboutBuster log back here and I will review it when it comes in.

Cheers.

OT
  • 0

#7
HankSC
Posted 25 April 2005 - 04:13 PM

HankSC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey OT,

I think some progress is being made - home page was google when I opened IE to add this post - first time home page wasn't about: blank in a while

Here's the log from AboutBuster:


Scanned at: 5:38:20 PM on: 4/25/05


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Removed! : C:\WINDOWS\deahg.dat
Removed! : C:\WINDOWS\ptlvds.dat
Removed! : C:\WINDOWS\tutqz.dat
Removed! : C:\WINDOWS\xkgjrw.dat
Removed! : C:\WINDOWS\SYSTEM\fsnde.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!


Let me know what's next - thanks again,

Hank
  • 0

#8
HankSC
Posted 25 April 2005 - 04:23 PM

HankSC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey Again OT,

Spoke to soon - home page is already back to about: blank.


Standing by,

Hank
  • 0

#9
OldTimer
Posted 25 April 2005 - 06:24 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi Hank. Please send a current HijackThis log.

Cheers.

OT
  • 0

#10
HankSC
Posted 25 April 2005 - 07:48 PM

HankSC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OT,

Here's the new HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:46:15 PM, on 4/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\D3DK.EXE
C:\WINDOWS\SYSTEM\IPGD32.EXE
C:\WINDOWS\SYSTEM\ATLEI32.EXE
C:\WINDOWS\SYSTEM\D3ZY32.EXE
C:\WINDOWS\SYSTEM\WINHZ.EXE
C:\WINDOWS\APIRC32.EXE
C:\WINDOWS\SYSTEM\ADDOK32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\IOMEGA CD-RW\DIRECTCD.EXE
C:\WINDOWS\IRXFER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\STARFISH\TRUESYNC\TSTOOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO01\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO02\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\IPGD32.EXE
C:\WINDOWS\APIRC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\ADDOK32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ADDOK32.EXE
C:\WINDOWS\SYSTEM\ADDOK32.EXE
C:\WINDOWS\SYSTEM\IPGD32.EXE
C:\WINDOWS\SYSTEM\ADDOK32.EXE
C:\WINDOWS\SYSTEM\JAVARL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O2 - BHO: Class - {6A5229C9-2F01-6A52-521F-8F546DED11C7} - C:\WINDOWS\IEML32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [APIED32.EXE] C:\WINDOWS\SYSTEM\APIED32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [D3DK.EXE] C:\WINDOWS\D3DK.EXE /s
O4 - HKLM\..\RunServices: [IPGD32.EXE] C:\WINDOWS\SYSTEM\IPGD32.EXE /s
O4 - HKLM\..\RunServices: [ATLEI32.EXE] C:\WINDOWS\SYSTEM\ATLEI32.EXE /s
O4 - HKLM\..\RunServices: [D3ZY32.EXE] C:\WINDOWS\SYSTEM\D3ZY32.EXE /s
O4 - HKLM\..\RunServices: [WINHZ.EXE] C:\WINDOWS\SYSTEM\WINHZ.EXE /s
O4 - HKLM\..\RunServices: [APIRC32.EXE] C:\WINDOWS\APIRC32.EXE /s
O4 - HKLM\..\RunServices: [ADDOK32.EXE] C:\WINDOWS\SYSTEM\ADDOK32.EXE /s
O4 - HKLM\..\RunServices: [JAVARL.EXE] C:\WINDOWS\SYSTEM\JAVARL.EXE /s
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\dllcmd32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro01\Components\QBAgent\qbdagent2001.exe
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro02\Components\QBAgent\qbdagent2002.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.universit...tivexviewer.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://testimg.charl...s/OBXSelect.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://testimg.charl...s/OBXViewer.cab


Hank
  • 0

#11
OldTimer
Posted 25 April 2005 - 11:25 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hey HankSC. Print these directions and then proceed with the following steps in order.

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

Run AboutBuster and save the logs:
  • Browse to where you saved AboutBuster and run AboutBuster.exe.
  • Click "OK" at the directions Read: Important! prompt.
  • Click the Update button to check for updates and install any that are available.
  • Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
  • Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
  • Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
  • Click "Exit" and "Exit" again to exit AboutBuster.
Step #3

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\SYSTEM\IPGD32.EXE
C:\WINDOWS\SYSTEM\ADDOK32.EXE
C:\WINDOWS\SYSTEM\JAVARL.EXE
C:\WINDOWS\system\iammr.dll
C:\WINDOWS\SYSTEM\APIED32.EXE
C:\WINDOWS\SYSTEM\ATLEI32.EXE
C:\WINDOWS\SYSTEM\D3ZY32.EXE
C:\WINDOWS\SYSTEM\WINHZ.EXE
C:\WINDOWS\APIRC32.EXE
C:\WINDOWS\D3DK.EXE
C:\WINDOWS\IEML32.DLL
Step #4

Reboot normally but do not connect to the internet yet. Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\iammr.dll/sp.html#58582
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6A5229C9-2F01-6A52-521F-8F546DED11C7} - C:\WINDOWS\IEML32.DLL
O4 - HKLM\..\Run: [APIED32.EXE] C:\WINDOWS\SYSTEM\APIED32.EXE
O4 - HKLM\..\RunServices: [D3DK.EXE] C:\WINDOWS\D3DK.EXE /s
O4 - HKLM\..\RunServices: [IPGD32.EXE] C:\WINDOWS\SYSTEM\IPGD32.EXE /s
O4 - HKLM\..\RunServices: [ATLEI32.EXE] C:\WINDOWS\SYSTEM\ATLEI32.EXE /s
O4 - HKLM\..\RunServices: [D3ZY32.EXE] C:\WINDOWS\SYSTEM\D3ZY32.EXE /s
O4 - HKLM\..\RunServices: [WINHZ.EXE] C:\WINDOWS\SYSTEM\WINHZ.EXE /s
O4 - HKLM\..\RunServices: [APIRC32.EXE] C:\WINDOWS\APIRC32.EXE /s
O4 - HKLM\..\RunServices: [ADDOK32.EXE] C:\WINDOWS\SYSTEM\ADDOK32.EXE /s
O4 - HKLM\..\RunServices: [JAVARL.EXE] C:\WINDOWS\SYSTEM\JAVARL.EXE /s
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file and the AboutBuster log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT

Edited by OldTimer, 25 April 2005 - 11:41 PM.

  • 0

#12
HankSC
Posted 26 April 2005 - 11:07 PM

HankSC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Again OT,

Here's the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:56:22 AM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SYSMT32.EXE
C:\WINDOWS\SYSTEM\CRHT.EXE
C:\WINDOWS\MFCDH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\IRXFER.EXE
C:\PROGRAM FILES\IOMEGA CD-RW\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSFU32.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\STARFISH\TRUESYNC\TSTOOL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO01\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO02\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\HJT2\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O2 - BHO: Class - {477D10CA-7565-DF75-4C8A-3A6A1397E36E} - C:\WINDOWS\SYSTEM\NETVF32.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\DIRECTCD.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [MSFU32.EXE] C:\WINDOWS\SYSTEM\MSFU32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SYSMT32.EXE] C:\WINDOWS\SYSTEM\SYSMT32.EXE /s
O4 - HKLM\..\RunServices: [CRHT.EXE] C:\WINDOWS\SYSTEM\CRHT.EXE /s
O4 - HKLM\..\RunServices: [MFCDH.EXE] C:\WINDOWS\MFCDH.EXE /s
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\dllcmd32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro01\Components\QBAgent\qbdagent2001.exe
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro02\Components\QBAgent\qbdagent2002.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.universit...tivexviewer.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab
O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://testimg.charl...s/OBXSelect.cab
O16 - DPF: {238EC5B8-0BF5-11D5-826E-00010239321B} (OBXViewer Control) - http://testimg.charl...s/OBXViewer.cab


The system would not reboot after AboutBuster and deleting those files - so I rebooted in safemode and fixed the files you listed in Hijack This and then rebooted and looked for those files in Hijack This again and then finished with cleanup.

When I connected to the internet, it seemed like the processor was running more than it should have and then all the symptoms were back.

Let me know what's next. Thanks,

Hank
  • 0

#13
OldTimer
Posted 27 April 2005 - 01:14 AM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi HankSC. Expound a little bit on "the processor was running too fast". What was your system doing?

You still have something hiding in there. Please print these directions and then proceed with the following steps in order.

Step #1

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Step #2

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Click on Delete on Reboot.
  • Paste the line below into the top Full Path of File to Delete field.
    • C:\WINDOWS\SYSTEM\MSFU32.EXE
  • Click the Delete File button which looks like a stop sign.
  • Click No at the Pending Operations prompt.
Repeat the above steps for each of the following lines. The only difference is that you will be substituting the file listed in the first step with each of the files below. C:\WINDOWS\SYSTEM\NETVF32.DLL
C:\WINDOWS\SYSTEM\SYSMT32.EXE
C:\WINDOWS\SYSTEM\CRHT.EXE
C:\WINDOWS\MFCDH.EXE
After you add the last file and it prompts to reboot, you should press the Yes button to allow it to do so. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R3 - Default URLSearchHook is missing
O2 - BHO: Class - {477D10CA-7565-DF75-4C8A-3A6A1397E36E} - C:\WINDOWS\SYSTEM\NETVF32.DLL
O4 - HKLM\..\Run: [MSFU32.EXE] C:\WINDOWS\SYSTEM\MSFU32.EXE
O4 - HKLM\..\RunServices: [SYSMT32.EXE] C:\WINDOWS\SYSTEM\SYSMT32.EXE /s
O4 - HKLM\..\RunServices: [CRHT.EXE] C:\WINDOWS\SYSTEM\CRHT.EXE /s
O4 - HKLM\..\RunServices: [MFCDH.EXE] C:\WINDOWS\MFCDH.EXE /s
Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.

Step #5

Please run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
Make sure that you choose "fix" or "clean".

Step #6

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
  • 0

#14
HankSC
Posted 01 May 2005 - 08:11 AM

HankSC

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey OT,


Finally got it. Thanks for all your help - Paypal is on it's way.

Here's one final HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:10:58 AM, on 5/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\DOCKAPP.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\IRXFER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT.EXE
C:\PROGRAM FILES\STARFISH\TRUESYNC\TSTOOL.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO01\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO02\COMPONENTS\QBAGENT\QBDAGENT2002.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\CLEAN UP\HJT2\HIJACKTHIS.EXE

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BayMgr] DockApp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O4 - Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\tstool.exe
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro01\Components\QBAgent\qbdagent2001.exe
O4 - Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro02\Components\QBAgent\qbdagent2002.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intu...bles/ie/IDA.cab


Thanks again for the help,

Hank
  • 0

#15
OldTimer
Posted 01 May 2005 - 01:19 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hi HankSC. Now that's a clean log. Good job! How are things running? Any problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.Right-click My Computer and then click Properties.
On the Performance tab, click File System
On the Troubleshooting tab, click to select Disable System Restore
Click OK twice.
2. Restart your computer.

3. Turn on System Restore.Right-click My Computer and again click Properties
On the Performance tab, click File System
Clear the check mark in Disable System Restore check box.
[/list]
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP