Too bad my first post has to be about Aurora, but then I'm 100% glad I found this group when it was most needed!
Thanks for your help!
Edited by digimime, 30 May 2005 - 10:26 AM.
HiJackThis Download[RESOLVED]
Started by
digimime
, May 14 2005 02:55 PM
-
This topic is locked
#1
Posted 14 May 2005 - 02:55 PM
digimime
-
- Member
-
- 23 posts
Member
Too bad my first post has to be about Aurora, but then I'm 100% glad I found this group when it was most needed!
Thanks for your help!
#2
Guest_thatman_*
Posted 18 May 2005 - 03:33 PM
Guest_thatman_*
Guest_thatman_*
-
- Guest
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.
Kc
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.
Kc
#3
Posted 19 May 2005 - 05:23 PM
digimime
- Topic Starter
-
- Member
-
- 23 posts
Member
Hello thatman,
Following is the Panda log. I was unable to find a way to download the HJT log. Your help is much appreciated!
Following is the Panda log. I was unable to find a way to download the HJT log. Your help is much appreciated!
Edited by digimime, 30 May 2005 - 10:29 AM.
#4
Posted 19 May 2005 - 10:17 PM
digimime
- Topic Starter
-
- Member
-
- 23 posts
Member
Hello again, thatman,
Edited by digimime, 30 May 2005 - 10:30 AM.
#5
Guest_thatman_*
Posted 20 May 2005 - 03:40 AM
Guest_thatman_*
Guest_thatman_*
-
- Guest
Hi digimime
Please read through the instructions before you start (you may want to print this out).
Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet
Download Pocket Killbox and unzip it; save it to your Desktop.
Reboot into Safe Mode: Click here if you don't know how to do this.
Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:
Run ewido fullscan save the log psot the log with the other items
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\INF\btgrab.inf
C:\WINDOWS\INF\polall1r.inf
C:\WINDOWS\INF\farmmext.inf
C:\WINDOWS\SYSTEM32\SWLAD1.dll
C:\WINDOWS\SYSTEM32\setup_incred_1.exe
C:\WINDOWS\SYSTEM32\ss_msi1_setup.exe
C:\WINDOWS\SYSTEM32\PopOops2.dll
C:\WINDOWS\SYSTEM32\xmlparse.dll
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\SYSTEM32\PopOops.dll
C:\WINDOWS\SYSTEM32\SWRT01.dll
C:\WINDOWS\SYSTEM32\SWLAD2.dll
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\SYSTEM32\c58bKs.dll
C:\WINDOWS\SYSTEM32\Lycos.dll
C:\WINDOWS\SYSTEM32\biK.exe
C:\WINDOWS\SYSTEM32\lsp.dll
C:\WINDOWS\SYSTEM32\im64.dll
C:\WINDOWS\SYSTEM32\msbb.exe
C:\WINDOWS\SYSTEM32\msbbhook.dll
C:\WINDOWS\SYSTEM32\sahagent1019.exe
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\SYSTEM32\stmtreco.exe
C:\WINDOWS\SYSTEM32\randreco.exe
C:\WINDOWS\SYSTEM32\lmlysfj.exe
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\kxut.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\satmat.ini
C:\WINDOWS\TEMP\biK.inf
C:\WINDOWS\TEMP\bi.dll
C:\WINDOWS\TEMP\biprep.exe
C:\WINDOWS\TEMP\Belt.ini
C:\WINDOWS\TEMP\polmx2.inf
C:\WINDOWS\TEMP\polmx2.exe
C:\WINDOWS\TEMP\twc\installer\bin\AddFavorites.vbs
C:\WINDOWS\TEMP\bi.cab
C:\WINDOWS\TEMP\bi.cab[bi.inf]
C:\WINDOWS\TEMP\bi.cab[bi.dll]
C:\WINDOWS\TEMP\bi.inf
C:\WINDOWS\TEMP\randreco.exe
C:\WINDOWS\TEMP\THIE3F.TMP\polall1r.inf
C:\WINDOWS\TEMP\THIE3F.TMP\polall1r.exe
C:\WINDOWS\TEMP\THI675.TMP\polall1r.inf
C:\WINDOWS\TEMP\THI675.TMP\polall1r.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\Downloaded Program Files\lsp_.dll
C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
C:\WINDOWS\Downloaded Program Files\xmltok_.dll
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\BI.DLL
C:\WINDOWS\svcproc.exe
C:\WINDOWS\fjooqt.exe
C:\WINDOWS\TSAd.dll
C:\WINDOWS\VcpDLL.dll
C:\WINDOWS\Nail.exe
C:\WINDOWS\BIPREP.EXE
C:\WINDOWS\SAHUninstall.exe
C:\WINDOWS\POLMX2.EXE
C:\Program Files\Common Files\updater\data1.dat
C:\Program Files\Common Files\updater\data2.dat
C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE
C:\Program Files\Lycos\Sidesearch\offline.htm
C:\Program Files\VBouncer\VBouncerInner.EXE
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Support.com\backup\wm\wmplayer.exe\80384_58be8be6f_[wmplayer.exe]
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Web_Rebates\disp1150.exe
C:\Program Files\Web_Rebates\README.txt
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe
C:\SahAgent.log
C:\undo\backup.cab[BI.INF]
C:\undo\backup.cab[BIK.INF]
C:\undo\backup.cab[POLMX2.INF]
C:\undo\backup.cab[POLALL1R.INF]
C:\undo\backup.cab[Belt.ini]
Reboot when prompted. as normal
Delete the following folders.
C:\Program Files\Common Files\updater[b]<--Dele the whole folder
C:\Program Files\[b]TimeSink\AdGateway[b]<--Dele the whole folder
C:\Program Files\Lycos\[b]Sidesearch[b]<--Dele the whole folder
C:\Program Files\[b]VBouncer[b]<--Dele the whole folder
C:\Program Files\[b]AdDestroyer[b]<--Dele the whole folder
C:\Program Files\[b]Support.com\backup\wm\wmplayer.exe\80384_58be8be6f_[wmplayer.exe]
C:\Program Files\[b]Web_Rebates[b]<--Dele the whole folder
C:\Program Files\[b]Ebates_MoeMoneyMaker[b]<--Dele the whole folder
C:\[b]SahAgent.log[b]<--Dele the whole folder
C:\[b]undo[b]<--Dele the whole folder
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[b]Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.
Kc
Please read through the instructions before you start (you may want to print this out).
Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet
Download Pocket Killbox and unzip it; save it to your Desktop.
Reboot into Safe Mode: Click here if you don't know how to do this.
Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:
Run ewido fullscan save the log psot the log with the other items
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\INF\btgrab.inf
C:\WINDOWS\INF\polall1r.inf
C:\WINDOWS\INF\farmmext.inf
C:\WINDOWS\SYSTEM32\SWLAD1.dll
C:\WINDOWS\SYSTEM32\setup_incred_1.exe
C:\WINDOWS\SYSTEM32\ss_msi1_setup.exe
C:\WINDOWS\SYSTEM32\PopOops2.dll
C:\WINDOWS\SYSTEM32\xmlparse.dll
C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\SYSTEM32\PopOops.dll
C:\WINDOWS\SYSTEM32\SWRT01.dll
C:\WINDOWS\SYSTEM32\SWLAD2.dll
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\SYSTEM32\c58bKs.dll
C:\WINDOWS\SYSTEM32\Lycos.dll
C:\WINDOWS\SYSTEM32\biK.exe
C:\WINDOWS\SYSTEM32\lsp.dll
C:\WINDOWS\SYSTEM32\im64.dll
C:\WINDOWS\SYSTEM32\msbb.exe
C:\WINDOWS\SYSTEM32\msbbhook.dll
C:\WINDOWS\SYSTEM32\sahagent1019.exe
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\SYSTEM32\stmtreco.exe
C:\WINDOWS\SYSTEM32\randreco.exe
C:\WINDOWS\SYSTEM32\lmlysfj.exe
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\kxut.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\satmat.ini
C:\WINDOWS\TEMP\biK.inf
C:\WINDOWS\TEMP\bi.dll
C:\WINDOWS\TEMP\biprep.exe
C:\WINDOWS\TEMP\Belt.ini
C:\WINDOWS\TEMP\polmx2.inf
C:\WINDOWS\TEMP\polmx2.exe
C:\WINDOWS\TEMP\twc\installer\bin\AddFavorites.vbs
C:\WINDOWS\TEMP\bi.cab
C:\WINDOWS\TEMP\bi.cab[bi.inf]
C:\WINDOWS\TEMP\bi.cab[bi.dll]
C:\WINDOWS\TEMP\bi.inf
C:\WINDOWS\TEMP\randreco.exe
C:\WINDOWS\TEMP\THIE3F.TMP\polall1r.inf
C:\WINDOWS\TEMP\THIE3F.TMP\polall1r.exe
C:\WINDOWS\TEMP\THI675.TMP\polall1r.inf
C:\WINDOWS\TEMP\THI675.TMP\polall1r.exe
C:\WINDOWS\farmmext.ini
C:\WINDOWS\Downloaded Program Files\lsp_.dll
C:\WINDOWS\Downloaded Program Files\xmlparse_.dll
C:\WINDOWS\Downloaded Program Files\xmltok_.dll
C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe
C:\WINDOWS\Downloaded Program Files\WEBInstaller.dll
C:\WINDOWS\BTGrab.dll
C:\WINDOWS\BI.DLL
C:\WINDOWS\svcproc.exe
C:\WINDOWS\fjooqt.exe
C:\WINDOWS\TSAd.dll
C:\WINDOWS\VcpDLL.dll
C:\WINDOWS\Nail.exe
C:\WINDOWS\BIPREP.EXE
C:\WINDOWS\SAHUninstall.exe
C:\WINDOWS\POLMX2.EXE
C:\Program Files\Common Files\updater\data1.dat
C:\Program Files\Common Files\updater\data2.dat
C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE
C:\Program Files\Lycos\Sidesearch\offline.htm
C:\Program Files\VBouncer\VBouncerInner.EXE
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Support.com\backup\wm\wmplayer.exe\80384_58be8be6f_[wmplayer.exe]
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Web_Rebates\disp1150.exe
C:\Program Files\Web_Rebates\README.txt
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker1.exe
C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
C:\Program Files\Ebates_MoeMoneyMaker\disp350.exe
C:\SahAgent.log
C:\undo\backup.cab[BI.INF]
C:\undo\backup.cab[BIK.INF]
C:\undo\backup.cab[POLMX2.INF]
C:\undo\backup.cab[POLALL1R.INF]
C:\undo\backup.cab[Belt.ini]
Reboot when prompted. as normal
Delete the following folders.
C:\Program Files\Common Files\updater[b]<--Dele the whole folder
C:\Program Files\[b]TimeSink\AdGateway[b]<--Dele the whole folder
C:\Program Files\Lycos\[b]Sidesearch[b]<--Dele the whole folder
C:\Program Files\[b]VBouncer[b]<--Dele the whole folder
C:\Program Files\[b]AdDestroyer[b]<--Dele the whole folder
C:\Program Files\[b]Support.com\backup\wm\wmplayer.exe\80384_58be8be6f_[wmplayer.exe]
C:\Program Files\[b]Web_Rebates[b]<--Dele the whole folder
C:\Program Files\[b]Ebates_MoeMoneyMaker[b]<--Dele the whole folder
C:\[b]SahAgent.log[b]<--Dele the whole folder
C:\[b]undo[b]<--Dele the whole folder
Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[b]Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.
Kc
#6
Posted 27 May 2005 - 07:31 PM
digimime
- Topic Starter
-
- Member
-
- 23 posts
Member
Back again after many detours. I did some more work with activescan reports and killbox, and the last scan showed no problems. Here are the latest ewido and hijackthis logs. Are there any more scans I need to do before downloading SP2? I'm getting pretty blitzed out... 
Thanks
Thanks
Edited by digimime, 30 May 2005 - 10:34 AM.
#7
Guest_thatman_*
Posted 28 May 2005 - 02:37 AM
Guest_thatman_*
Guest_thatman_*
-
- Guest
Hi digimime
Please read through the instructions before you start (you may want to print this out).
You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder
Please set your system to show all files; please see here if you're unsure how to do this.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL (file missing)
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM32\Ud3rT0n5.dll (file missing)
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\Documents and Settings\All Users\Application Data\Setup\Setup.dll (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: WagBHO.WagBHO - {A7DE7922-14CB-11D6-8BCA-0010A48E5285} - C:\webacc\WagBHO.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll (file missing)
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL (file missing)
O9 - Extra button: Settings - {02E998F8-5FF1-4a65-9D1D-99059AFCEC01} - C:\webacc\WagBand.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloff...O1/Ud3rT0n5.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them:
C:\PROGRA~1\IncrediFind<--Delete the whole folder
C:\webacc<--Delete the whole folder
C:\Program Files\Ebates_MoeMoneyMaker<--Delete the whole folder
C:\PROGRA~1\COMMON~1\System\MOSearch<--Delete the whole folder
C:\Program Files\Web_Rebates<--Delete the whole folder
Exit Explorer.Reboot as normal.
Post a new HJT.log
Kc
Please read through the instructions before you start (you may want to print this out).
You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder
Please set your system to show all files; please see here if you're unsure how to do this.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL (file missing)
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM32\Ud3rT0n5.dll (file missing)
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\Documents and Settings\All Users\Application Data\Setup\Setup.dll (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: WagBHO.WagBHO - {A7DE7922-14CB-11D6-8BCA-0010A48E5285} - C:\webacc\WagBHO.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll (file missing)
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL (file missing)
O9 - Extra button: Settings - {02E998F8-5FF1-4a65-9D1D-99059AFCEC01} - C:\webacc\WagBand.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.netpaloff...O1/Ud3rT0n5.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them:
C:\PROGRA~1\IncrediFind<--Delete the whole folder
C:\webacc<--Delete the whole folder
C:\Program Files\Ebates_MoeMoneyMaker<--Delete the whole folder
C:\PROGRA~1\COMMON~1\System\MOSearch<--Delete the whole folder
C:\Program Files\Web_Rebates<--Delete the whole folder
Exit Explorer.Reboot as normal.
Post a new HJT.log
Kc
#8
Posted 29 May 2005 - 04:33 PM
digimime
- Topic Starter
-
- Member
-
- 23 posts
Member
Hello thatman:
Sunday's best:
Logfile of HijackThis v1.99.1
Scan saved at 9:06:09 PM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Sunday's best:
Logfile of HijackThis v1.99.1
Scan saved at 9:06:09 PM, on 5/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Edited by digimime, 02 June 2005 - 03:53 PM.
#9
Guest_thatman_*
Posted 01 June 2005 - 02:40 PM
Guest_thatman_*
Guest_thatman_*
-
- Guest
Hi digimime
Please read through the instructions before you start (you may want to print this out).
You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder
Please set your system to show all files; please see here if you're unsure how to do this.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Click on Fix Checked when finished and exit HijackThis.
C:\PROGRA~1\COMMON~1\System\MOSearch<--Delete the whole folder
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.
Kc
Please read through the instructions before you start (you may want to print this out).
You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder
Please set your system to show all files; please see here if you're unsure how to do this.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Click on Fix Checked when finished and exit HijackThis.
C:\PROGRA~1\COMMON~1\System\MOSearch<--Delete the whole folder
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.
Kc
#10
Posted 01 June 2005 - 03:43 PM
digimime
- Topic Starter
-
- Member
-
- 23 posts
Member
Thanks a million! Your assistance has been so valuable.
Please stay with this area--I work pretty fast.
Best,
Digimime
Please stay with this area--I work pretty fast.
Best,
Digimime
#11
Guest_thatman_*
Posted 01 June 2005 - 04:29 PM
Guest_thatman_*
Guest_thatman_*
-
- Guest
Hi digimime
I will be here waiting
Kc
I will be here waiting
Kc
#12
Posted 01 June 2005 - 10:19 PM
digimime
- Topic Starter
-
- Member
-
- 23 posts
Member
Can it be that this is almost done?? 
Panda:
Housecall: none
Hope you weren't sitting up all night waiting for this
I see that you're in the UK, so would be about 6 hrs. ahead of the sates.
Best, digimime
Panda:
Housecall: none
Hope you weren't sitting up all night waiting for this
I see that you're in the UK, so would be about 6 hrs. ahead of the sates.Best, digimime
Edited by digimime, 03 June 2005 - 09:03 AM.
#13
Guest_thatman_*
Posted 01 June 2005 - 10:31 PM
Guest_thatman_*
Guest_thatman_*
-
- Guest
Hi digimime
Please stay with this area--I work pretty fast
Where is your HJT.log is that coming in the next six hours
Delete all the temp files:
C:\Documents and Settings\Anna-lee Aton\Local Settings\Temp\satmat.cab[satmat.exe]
C:\Documents and Settings\Anna-lee Aton\Local Settings\Temp\satmat.cab[satmat.ini]
Kc
Please stay with this area--I work pretty fast
Where is your HJT.log is that coming in the next six hours
Delete all the temp files:
C:\Documents and Settings\Anna-lee Aton\Local Settings\Temp\satmat.cab[satmat.exe]
C:\Documents and Settings\Anna-lee Aton\Local Settings\Temp\satmat.cab[satmat.ini]
Kc
#14
Posted 02 June 2005 - 10:51 AM
digimime
- Topic Starter
-
- Member
-
- 23 posts
Member
Hello thatman,
[quote]Where is your HJT.log is that coming in the next six hours laughing.gif[/quote]
Waiting for Panda to finish Here goes:
Logfile of HijackThis v1.99.1
Scan saved at 11:32:28 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
[quote]Delete all the temp files:
All I can find now is a satmat 26kb app and two 1KB files for setup & info. Kill all of that??
Thanks again
digimime
[quote]Where is your HJT.log is that coming in the next six hours laughing.gif[/quote]
Waiting for Panda to finish
Here goes:Logfile of HijackThis v1.99.1
Scan saved at 11:32:28 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
[quote]Delete all the temp files:
All I can find now is a satmat 26kb app and two 1KB files for setup & info. Kill all of that??
Thanks again
digimime
Edited by digimime, 02 June 2005 - 06:24 PM.
#15
Guest_thatman_*
Posted 02 June 2005 - 01:05 PM
Guest_thatman_*
Guest_thatman_*
-
- Guest
You have the latest version of VX2. Download L2mfix from one of these two locations:
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Kc
http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
Kc
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
