Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ClickSearchClick 04 mem.exe Please Help! [CLOSED]


  • This topic is locked This topic is locked

#1
darky666

darky666

    New Member

  • Member
  • Pip
  • 1 posts
Hello, Im a new user, and although this is my last resort I feel its my best port of call to clean my PC without having to reformat my hard drive. My browser has been hijcaked by the clicksearchclick virus, dissallowing me to click on virtually all online links. Please Help. Here is my log but note my actual log wont post because it is too long, the files that look like this "O4 - HKLM\..\Run: [Ksg] C:\WINDOWS\System32\Rit.exe" there are actually thousands of them, all three letter files for example mem.exe of rgp.exe. Iv cut most of my log out just so you can view it. Please help me as Iv tried everything I know.

Logfile of HijackThis v1.99.1
Scan saved at 12:46:31, on 16/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\bflbnf.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\System32\svcsysreg.exe
C:\WINDOWS\Gri.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\d3as.exe
C:\WINDOWS\netfu32.exe
C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SVCHOST.EXE
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\Vtr.exe
C:\WINDOWS\System32\Mce.exe
C:\WINDOWS\System32\Mpi.exe
C:\WINDOWS\System32\Isb.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {90A1CA51-6A23-5DA2-64A6-7E96611FAA5E} - C:\WINDOWS\system32\ieru.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [Svcsys Registry Manager] C:\WINDOWS\System32\svcsysreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Hfr] C:\WINDOWS\System32\Ibn.exe
O4 - HKLM\..\Run: [Rof] C:\WINDOWS\System32\Foo.exe
O4 - HKLM\..\Run: [Rfa] C:\WINDOWS\System32\Eto.exe
O4 - HKLM\..\Run: [Foq] C:\WINDOWS\System32\Qqr.exe
O4 - HKLM\..\Run: [Boj] C:\WINDOWS\System32\Fpk.exe
O4 - HKLM\..\Run: [Osm] C:\WINDOWS\System32\Kbr.exe
O4 - HKLM\..\Run: [Jev] C:\WINDOWS\System32\Skl.exe
O4 - HKLM\..\Run: [Jmn] C:\WINDOWS\System32\Qtr.exe
O4 - HKLM\..\Run: [Tek] C:\WINDOWS\System32\Mph.exe
O4 - HKLM\..\Run: [Qis] C:\WINDOWS\System32\Ptu.exe
O4 - HKLM\..\Run: [Mnh] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Qsn] C:\WINDOWS\System32\Ikq.exe
O4 - HKLM\..\Run: [Vut] C:\WINDOWS\System32\Qjb.exe
O4 - HKLM\..\Run: [Qin] C:\WINDOWS\System32\Kna.exe
O4 - HKLM\..\Run: [Huh] C:\WINDOWS\System32\Kqq.exe
O4 - HKLM\..\Run: [Tak] C:\WINDOWS\System32\Ero.exe
O4 - HKLM\..\Run: [Odk] C:\WINDOWS\Idn.exe
O4 - HKLM\..\Run: [Fbh] C:\WINDOWS\System32\Fbf.exe
O4 - HKLM\..\Run: [Kfh] C:\WINDOWS\System32\Uvl.exe
O4 - HKLM\..\Run: [Pno] C:\WINDOWS\System32\Lro.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SVCHOST.EXE
O4 - HKLM\..\Run: [Lan] C:\WINDOWS\System32\Jhd.exe
O4 - HKLM\..\Run: [Gvc] C:\WINDOWS\System32\Huo.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autostart
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [iyrjkbp] c:\windows\system32\bflbnf.exe r
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Nbg] C:\WINDOWS\Dmr.exe
O4 - HKCU\..\Run: [Fcg] C:\WINDOWS\System32\Ahr.exe
O4 - HKCU\..\Run: [Emb] C:\WINDOWS\System32\Sqa.exe
O4 - HKCU\..\Run: [Rdc] C:\WINDOWS\System32\Evc.exe
O4 - HKCU\..\Run: [Lap] C:\WINDOWS\System32\Faj.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DF5F31D-3817-41AF-9754-EBB8A02923D9}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F015248-BD84-4FB2-9FCA-28337D7F9E6F}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEBA3C3E-0DA2-485C-B226-DEE0E146A216}: NameServer = 199.166.31.3,199.5.157.128
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6C19CAB-D16E-4FD5-98A0-91AFA9942443}: NameServer = 199.166.31.3,199.5.157.128
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: STOPzilla - C:\WINDOWS\SYSTEM32\IS3WLHandler.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\d3as.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

It is really important you perform my steps in the right order! So I suggest you print out next steps or save them in notepad, because you'll have to perform steps in safe mode and this page wouldn't be available then.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.

Download and Save Spywadfix to your computer from this link:
http://www.thespykil...s/spywadfix.exe
Don't use it yet.

* Download and install CCleaner
Do not use it yet.

* Download Nail/Aurora Spyware Fix
Unzip/extract it.
Do not use it yet!

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

* Download CWShredder. Don't let it run yet!

* Reboot into Safe Mode`: ( without networking support !)
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Open the nailfix-folder and doubleclick on nailfix.cmd. <== don't forget this step!!
Your taskbar and icons will disappear for a couple of seconds, that is normal.

Doubleclick spywadfix.exe
It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.
It will open an Input box. Paste this line into the box:

C:\WINDOWS\System32\Vtr.exe

Let it run.

After that fix,

Normally hijackthis will start automatically.. so check and fix next lines in it:
If hijackthis doesn't start automatically, start it manually.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yoxbd.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {90A1CA51-6A23-5DA2-64A6-7E96611FAA5E} - C:\WINDOWS\system32\ieru.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Svcsys Registry Manager] C:\WINDOWS\System32\svcsysreg.exe
O4 - HKLM\..\Run: [Hfr] C:\WINDOWS\System32\Ibn.exe
O4 - HKLM\..\Run: [Rof] C:\WINDOWS\System32\Foo.exe
O4 - HKLM\..\Run: [Rfa] C:\WINDOWS\System32\Eto.exe
O4 - HKLM\..\Run: [Foq] C:\WINDOWS\System32\Qqr.exe
O4 - HKLM\..\Run: [Boj] C:\WINDOWS\System32\Fpk.exe
O4 - HKLM\..\Run: [Osm] C:\WINDOWS\System32\Kbr.exe
O4 - HKLM\..\Run: [Jev] C:\WINDOWS\System32\Skl.exe
O4 - HKLM\..\Run: [Jmn] C:\WINDOWS\System32\Qtr.exe
O4 - HKLM\..\Run: [Tek] C:\WINDOWS\System32\Mph.exe
O4 - HKLM\..\Run: [Qis] C:\WINDOWS\System32\Ptu.exe
O4 - HKLM\..\Run: [Mnh] C:\WINDOWS\System32\Jjq.exe
O4 - HKLM\..\Run: [Qsn] C:\WINDOWS\System32\Ikq.exe
O4 - HKLM\..\Run: [Vut] C:\WINDOWS\System32\Qjb.exe
O4 - HKLM\..\Run: [Qin] C:\WINDOWS\System32\Kna.exe
O4 - HKLM\..\Run: [Huh] C:\WINDOWS\System32\Kqq.exe
O4 - HKLM\..\Run: [Tak] C:\WINDOWS\System32\Ero.exe
O4 - HKLM\..\Run: [Odk] C:\WINDOWS\Idn.exe
O4 - HKLM\..\Run: [Fbh] C:\WINDOWS\System32\Fbf.exe
O4 - HKLM\..\Run: [Kfh] C:\WINDOWS\System32\Uvl.exe
O4 - HKLM\..\Run: [Pno] C:\WINDOWS\System32\Lro.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SVCHOST.EXE
O4 - HKLM\..\Run: [Lan] C:\WINDOWS\System32\Jhd.exe
O4 - HKLM\..\Run: [Gvc] C:\WINDOWS\System32\Huo.exe
O4 - HKLM\..\Run: [iyrjkbp] c:\windows\system32\bflbnf.exe r
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{2D8185B9-7C85-41B0-9045-14463A9EC669}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [Nbg] C:\WINDOWS\Dmr.exe
O4 - HKCU\..\Run: [Fcg] C:\WINDOWS\System32\Ahr.exe
O4 - HKCU\..\Run: [Emb] C:\WINDOWS\System32\Sqa.exe
O4 - HKCU\..\Run: [Rdc] C:\WINDOWS\System32\Evc.exe
O4 - HKCU\..\Run: [Lap] C:\WINDOWS\System32\Faj.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\d3as.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)


*Navigate to and delete the following files/folders if present:

c:\windows\system32\bflbnf.exe
C:\WINDOWS\System32\svcsysreg.exe
C:\WINDOWS\d3as.exe
C:\WINDOWS\netfu32.exe
C:\WINDOWS\System32\Services <= folder Don't delete services.exe!!
C:\WINDOWS\system32\ieru.dll
C:\WINDOWS\System32\spoolsrv32.exe
C:\Program Files\Common Files\WinTools <== folder

*Start Aboutbuster and let it scan. When the scan is done and you choose exit, it will automatically create a log in the same folder where aboutbuster is in.

*Start Cwshredder and click FIX

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; Perform a full scan with ewido.
Let it delete everything it is finding.
When finished, you'll get the option to make a log.
Save this log, because I'll need that later.

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there

Reboot back to normal mode.
Post a new hijackthislog + the log from aboutbuster + the log from ewidoscan.

Edited by miekiemoes, 16 June 2005 - 05:28 PM.

  • 0

#3
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP