Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Homepage hijacked & popups [CLOSED]


  • This topic is locked This topic is locked

#1
galant

galant

    Member

  • Member
  • PipPip
  • 13 posts
Hi there. My homepage has changed several times & now locked at "file:///c:/window/hp.htm" cant change. Also having popups without the browser open from partypoker, adshooter, winfixer ect. I have Norton antivirus, spybotS&D. Have also loaded and ran Kaspersky-Mwave Scan. Here's y hijack scan and Kaspersky Mwave Scan logs. Any help would be great. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 9:44:57 PM, on 9/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINPORTRAIT\WPCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SXGTKBAR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISCHED.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PLAXO\2.2.2.4\INSTALLSTUB.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.terra.es/...rl/s/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/windows/hp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://dxxrog.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://dxxrog.t.rack.cc/hp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://dxxrog.t.rack.cc/hp.php (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\DATA\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\WinPortrait\wpctrl.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set
O4 - HKLM\..\Run: [NEU] C:\WINDOWS\NEU.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ATI Scheduler] C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\ATISched.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.2.2.4\InstallStub.exe -a
O4 - HKCU\..\Run: [Mrqyndy] C:\WINDOWS\SYSTEM\gpqbb.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {BA224D00-9553-11d2-9D65-00A0CC22CBC4} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 66.230.143.209
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - (no file)
O19 - User stylesheet: c:\windows\system.css



Kaspersky Mwave Scan log

File C:\WINDOWS\sys_ext.dll infected by "Trojan.Win32.StartPage.bx" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL tagged as not-a-virus:AdWare.ReSearch.a. No Action Taken.
File C:\PROGRA~1\EBWU\RHUO.EXE infected by "Trojan-Downloader.Win32.PurityScan.ah" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSfit.exe infected by "Trojan.Win32.StartPage.sy" Virus. Action Taken: File Deleted.
File C:\WINDOWS\NDNuninstall4_80.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\Q824145.exe infected by "Trojan-Downloader.Win32.WinShow.av" Virus. Action Taken: File Deleted.
File C:\WINDOWS\NDNuninstall4_88.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall4_94.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\sys.reg infected by "Trojan.WinREG.StartPage" Virus. Action Taken: File Deleted.
File C:\WINDOWS\vldial.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\madise.dll infected by "Trojan.Win32.Madise.a" Virus. Action Taken: File Deleted.
File C:\WINDOWS\NDNuninstall5_40.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\load.bat infected by "Trojan-Clicker.Win32.Qhost.a" Virus. Action Taken: File Deleted.
File C:\WINDOWS\ISTactivex.dll infected by "Trojan-Downloader.Win32.IstBar.ag" Virus. Action Taken: File Deleted.
File C:\WINDOWS\nem214.dll infected by "Trojan-Downloader.Win32.Dyfuca.j" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSsfitb.exe tagged as not-a-virus:AdWare.EZula.i. No Action Taken.
File C:\WINDOWS\SYSTEM\q78kdov0.dll tagged as not-a-virus:AdWare.CoolWeb. No Action Taken.
File C:\WINDOWS\SYSTEM\qpaeesv0.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\SYSTEM\SYSsfitb.dll tagged as not-a-virus:AdWare.ToolBar.SearchIt.g. No Action Taken.
File C:\WINDOWS\SYSTEM\replaceSearch.dll tagged as not-a-virus:AdWare.ReSearch.a. No Action Taken.
File C:\WINDOWS\SYSTEM\msmsgs.exe infected by "Trojan-Downloader.Win32.Zlob.ai" Virus. Action Taken: File Deleted.
File C:\WINDOWS\SYSTEM\q78kdov0.dll tagged as not-a-virus:AdWare.CoolWeb. No Action Taken.
File C:\WINDOWS\SYSTEM\qpaeesv0.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\SYSTEM\SYSsfitb.dll tagged as not-a-virus:AdWare.ToolBar.SearchIt.g. No Action Taken.
File C:\WINDOWS\SYSTEM\replaceSearch.dll tagged as not-a-virus:AdWare.ReSearch.a. No Action Taken.
File C:\WINDOWS\HELP\Help\services.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\WINDOWS\HELP\Help\smss.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\WINDOWS\HELP\Help\csrss.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchXPlugin3.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\WINDOWS\NDNuninstall4_80.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall4_88.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall4_94.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\vldial.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\WINDOWS\NDNuninstall5_40.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\NDNuninstall5_48.exe tagged as not-a-virus:AdWare.NewDotNet. No Action Taken.
File C:\WINDOWS\SYSsfitb.exe tagged as not-a-virus:AdWare.EZula.i. No Action Taken.
File C:\WINDOWS\Connection Wizard\Status\fhgeasyc.exe infected by "Email-Worm.Win32.Sober.q" Virus. Action Taken: File Deleted.
File C:\Program Files\Webdialer\vldial.exe tagged as not-a-virus:[bleep]-Dialer.Win32.WebDialer. No Action Taken.
File C:\Program Files\Norton AntiVirus V460\Quarantine\444A3FF4.exe infected by "Trojan.Win32.StartPage.y" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\44533DE9.hta infected by "Trojan.VBS.StartPage.h" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\11E83DF0.exe infected by "Trojan-Downloader.Win32.Femad.j" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\12647967.exe infected by "Backdoor.Win32.Jeemp.c" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\128E1B38.exe infected by "Trojan-Downloader.Win32.Small.cb" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\17C3057E.exe infected by "Trojan-Downloader.Win32.Donn.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3B8B101E.css infected by "Trojan-Clicker.Win32.Qhost.a" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3B916417.exe infected by "Backdoor.Win32.Jeemp.c" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3B916417.hta infected by "Trojan.VBS.Valg" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\03120F32.htm infected by "Exploit.JS.ActiveXComponent" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\17607B66.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\73911081.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\08DA4DE0.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\35BF474D.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\36694E92.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3A7B2018.htm infected by "Exploit.HTML.Mht" Virus. Action Taken: File Renamed.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3ADD0BAC.class infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\3AED5D9A.htm infected by "Trojan-Downloader.JS.Small.d" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\73ED5C74.exe infected by "Trojan-Dropper.Win32.Small.cu" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\73F3306D.exe infected by "Trojan.Win32.StartPage.kp" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\47E87E29.exe infected by "Trojan.Win32.Small.bm" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\458518DA.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\458C6CD3.exe infected by "Trojan.Win32.Zapchast" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus V460\Quarantine\48D946A6.exe infected by "Trojan.Win32.StartPage.ey" Virus. Action Taken: File Deleted.
File C:\ht.hta infected by "Trojan-Clicker.JS.gen" Virus. Action Taken: File Deleted.
File C:\~WRF0409.tmp infected by "Trojan-Dropper.Win32.Small.adx" Virus. Action Taken: File Deleted.
:tazz:
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry for the delay in response,
Need you to do a couple things please,

Please go Here Download CWShredder, Run CWShredder let it fix all it finds, be sure and click the "Fix"button
Reboot your computer

Next
Run Ad-Aware with the latest update.
  • Download the latest version of Ad-Aware (Ad-Aware SE Build 1.06r1) from here.
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Next
  • Please run these two online scans. Make sure they are set to clean automatically:

    TrendMicro's HouseCall

    ActiveScan

  • You should try to delete any files that these scanners are unable to clean. Make sure you check the 'Disinfect automatically' option in Active scan, and check the “Auto Clean” option in TrendMicro, Then let us know if its working better and what the scans found.
Next
Post back a fresh HJT log and log from Active scan please
  • 0

#3
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP