Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer is Hijacked [CLOSED]

Started by toferrall , Jul 11 2004 08:11 AM

  • This topic is locked This topic is locked

#16
admin
Posted 12 July 2004 - 07:25 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Open the FINDnFIX folder and then open the keys1 folder. Right-click on the MOVEit.bat file and select 'edit'. That will open the file as an empty text file - copy and paste this line into the blank file:

move C:\WINDOWS\System32\sqlohil.dll.DLL C:\WINDOWS\junkxxx\sqlohil.dll.DLL

Save the file and close. The next step will cause a restart. Still in the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot.

On restart, open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.

Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, skip that step and proceed this way instead. In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the sqlohil.dll.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.
  • 0

Advertisements

#17
toferrall
Posted 12 July 2004 - 08:40 PM

toferrall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Restore.bat Log1 file:


*** freeatlast100.100free.com ***

Mon 07/12/2004
10:33pm up 0 days, 0:04

Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2800.1106 SP1-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

***LOG1!***
Scanning for file(s) in System32...

(1)

(2)
**File C:\FINDnFIX\LIST.TXT

(3)

No matches found.

No matches found.

(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


(5)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

* Scanning for moved file... *
* result\\?\C:\JUNKXXX\SQLOHIL.222


C:\JUNKXXX\
sqlohil.222 Tue Jun 29 2004 8:18:52p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\SQLOHIL.222

**File C:\JUNKXXX\SQLOHIL.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2......

A----- SQLOHIL .222 0000E000 20:18.52 29/06/2004

rem replace this entire line with your given command...



--a-- W32i - - - - 57,344 06-29-2004 sqlohil.222
A C:\junkxxx\sqlohil.222
File: <C:\junkxxx\sqlohil.222> CRC-32 : D5C9FB2E MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249
Permissions:
C:\junkxxx\sqlohil.222 BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
HOMEOFERRALL\TIM:F
BUILTIN\Users:R

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 101F01FF ---A DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HOMEOFERRALL\TIM
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: HOMEOFERRALL\TIM

Primary Group: HOMEOFERRALL\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\sqlohil.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x HOMEOFERRALL\TIM
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: HOMEOFERRALL\TIM

Primary Group: HOMEOFERRALL\None


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Notepad check....

C:\WINDOWS\
notepad.exe Tue Jun 29 2004 8:19:22p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

No matches found.

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Tue Jun 29 2004 8:19:22p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-29-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 ( h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 =t vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' b USERProcessHandleQuota3 h X
000012D0: vk y AppInit_DLLsecte
00001310:
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
fAppInit_DLLs֍GC

---------- NEWWIN.TXT
AppInit_DLLsecte
--------------
yes
DEVICE\HARDDISKVOLUME2
DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
000012F0: 01 00 00 00 01 00 79 00 . 5F 44 4C 4C 73 65 63 74 ......y. _DLLsect
**File C:\FINDnFIX\NEWWIN.TXT
_vk
  • 0

#18
admin
Posted 13 July 2004 - 09:08 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Looking good. <_< Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip). Just ignore the email stuff, they're no longer accepting submissions.

Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update'. Rescan with HJT and post a new log in your next reply. :D
  • 0

#19
toferrall
Posted 13 July 2004 - 11:54 AM

toferrall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is the latest HJT file log: BTW my winpatrol keeps alerting me to changes in my home page for ie explorer. Should I let the change happen or restore? <_<

Logfile of HijackThis v1.98.0
Scan saved at 1:53:01 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DIGStream\digstream.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\TIM\My Documents\Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt2_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt0_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O18 - Protocol: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - C:\PROGRA~1\INTERN~2\SSPNG.DLL

Edited by toferrall, 13 July 2004 - 05:28 PM.

  • 0

#20
toferrall
Posted 13 July 2004 - 05:27 PM

toferrall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thank you for your help. Am I done? <_<
  • 0

#21
admin
Posted 13 July 2004 - 06:54 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
A little cleaning up to do. Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
Items in blue are optional, but will improve system performance.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O18 - Protocol: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - C:\PROGRA~1\INTERN~2\SSPNG.DLL

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use).

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
Link to SpywareBlaster: http://www.geekstogo...tion=show&id=12

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend Firefox.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. <_<
  • 0

#22
Kat
Posted 22 September 2005 - 11:01 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP