Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help please! CLKOPTIM. WEBsearch toolbar Look2me


  • Please log in to reply

#1
zombie/blood

zombie/blood

    New Member

  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.0
Scan saved at 12:07:29 PM, on 1/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wgrwog.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\nghtmr\prgrms\spy sweeper\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\MotorolaDAP.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\nghtmr\prgrms\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpySweeper] "C:\Documents and Settings\nghtmr\prgrms\spy sweeper\Spy Sweeper\SpySweeper.exe" /1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Compaq Advisor - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Motorola Digital Audio Player Manager - Motorola Inc. - C:\WINDOWS\system32\MotorolaDAP.exe
O23 - Service: Content Monitoring Tool - Unknown - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


i run Spysweeper, and SpyBot, and everything comes back.
I even tried running them in safe mode, but they still return
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

  • 0

#3
zombie/blood

zombie/blood

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\nghtmr\prgrms\New Folder\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is PRESARIO
Volume Serial Number is 686B-7073

Directory of C:\WINDOWS\System32

01/10/2005 11:58 AM 225,534 fn2021fmg.dll
01/10/2005 11:35 AM 225,534 l46o0ej3eho.dll
01/10/2005 11:34 AM 225,534 idfxdev.dll
01/09/2005 01:23 PM 225,534 s4pu0e79eh.dll
01/09/2005 01:07 PM 222,836 j6n2lg5o16.dll
12/29/2004 10:19 PM 225,534 lv2m09f1e.dll
12/28/2004 12:11 AM <DIR> dllcache
12/25/2004 09:25 AM 226,133 p28q0cl5efq.dll
12/19/2004 01:28 PM 224,158 aza2lafo1d2c.dll
12/19/2004 10:26 AM 225,174 d6j0lg1m16.dll
12/18/2004 11:49 PM 223,061 fp4803hue.dll
12/18/2004 10:30 PM 226,234 d8j02i1mg8.dll
12/18/2004 04:05 PM 224,884 uyiplat.dll
12/18/2004 04:05 PM 225,034 i0nm0a51ed.dll
12/18/2004 02:54 PM 223,922 h20qlcd51f0.dll
12/18/2004 02:21 PM 224,096 k4pm0e71eh.dll
12/18/2004 01:50 PM 223,922 e0jmla111d.dll
12/18/2004 01:32 PM 223,922 q4nu0e59eh.dll
12/18/2004 01:30 PM 223,922 g022lafo1d2c.dll
12/18/2004 12:43 PM 223,922 dnl0013me.dll
12/18/2004 02:47 AM 223,922 lv0m09d1e.dll
12/17/2004 10:38 PM 223,922 h6l2lg3o16.dll
12/17/2004 09:18 PM 223,922 e6020gdoe60c0.dll
08/02/2002 03:51 AM <DIR> Microsoft
22 File(s) 4,940,656 bytes
2 Dir(s) 45,075,877,888 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is PRESARIO
Volume Serial Number is 686B-7073

Directory of C:\WINDOWS\System32

01/10/2005 11:50 AM <DIR> wsxsvc
01/10/2005 11:31 AM <DIR> vmss
12/28/2004 12:11 AM <DIR> dllcache
08/01/2002 09:45 PM 488 logonui.exe.manifest
08/01/2002 09:45 PM 488 WindowsLogon.manifest
08/01/2002 09:44 PM 749 sapi.cpl.manifest
08/01/2002 09:44 PM 749 wuaucpl.cpl.manifest
08/01/2002 09:44 PM 749 nwc.cpl.manifest
08/01/2002 09:44 PM 749 cdplayer.exe.manifest
08/01/2002 09:44 PM 749 ncpa.cpl.manifest
08/10/2001 01:46 AM 64,512 PackethSvc.exe
8 File(s) 69,233 bytes
3 Dir(s) 45,075,873,792 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is PRESARIO
Volume Serial Number is 686B-7073

Directory of C:\WINDOWS\System32

01/10/2005 12:26 PM 225,534 guard.tmp
1 File(s) 225,534 bytes
0 Dir(s) 45,075,873,792 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C is PRESARIO
Volume Serial Number is 686B-7073

Directory of C:\WINDOWS\System32

01/10/2005 12:26 PM 225,534 guard.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH0018.TMP
08/03/2004 11:56 PM 1,236,480 ~GLH0015.TMP
08/18/2001 02:00 PM 2,577 CONFIG.TMP
03/13/2001 02:49 PM 140,288 ~GLH0010.TMP
5 File(s) 2,841,359 bytes
0 Dir(s) 45,075,873,792 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D4AB63E5-08ED-40A6-8E2E-856BF7D2ECC9}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s6pulg7916.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
aza2la~1.dll Sun Dec 19 2004 1:28:36p ..S.R 224,158 218.90 K
d6j0lg~1.dll Sun Dec 19 2004 10:26:30a ..S.R 225,174 219.89 K
d8j02i~1.dll Sat Dec 18 2004 10:30:52p ..S.R 226,234 220.93 K
dnl001~1.dll Sat Dec 18 2004 12:43:40p ..S.R 223,922 218.67 K
e0jmla~1.dll Sat Dec 18 2004 1:50:22p ..S.R 223,922 218.67 K
e6020g~1.dll Fri Dec 17 2004 9:18:18p ..S.R 223,922 218.67 K
fn2021~1.dll Mon Jan 10 2005 11:58:36a ..S.R 225,534 220.25 K
fp4803~1.dll Sat Dec 18 2004 11:49:22p ..S.R 223,061 217.83 K
g022la~1.dll Sat Dec 18 2004 1:30:28p ..S.R 223,922 218.67 K
h20qlc~1.dll Sat Dec 18 2004 2:54:08p ..S.R 223,922 218.67 K
h6l2lg~1.dll Fri Dec 17 2004 10:38:34p ..S.R 223,922 218.67 K
i0nm0a~1.dll Sat Dec 18 2004 4:05:44p ..S.R 225,034 219.76 K
idfxdev.dll Mon Jan 10 2005 11:34:58a ..S.R 225,534 220.25 K
j6n2lg~1.dll Sun Jan 9 2005 1:07:42p ..S.R 222,836 217.61 K
k4pm0e~1.dll Sat Dec 18 2004 2:21:46p ..S.R 224,096 218.84 K
l46o0e~1.dll Mon Jan 10 2005 11:36:00a ..S.R 225,534 220.25 K
lv0m09~1.dll Sat Dec 18 2004 2:47:32a ..S.R 223,922 218.67 K
lv2m09~1.dll Wed Dec 29 2004 10:19:40p ..S.R 225,534 220.25 K
p28q0c~1.dll Sat Dec 25 2004 9:25:50a ..S.R 226,133 220.83 K
q4nu0e~1.dll Sat Dec 18 2004 1:32:14p ..S.R 223,922 218.67 K
s4pu0e~1.dll Sun Jan 9 2005 1:23:32p ..S.R 225,534 220.25 K
uyiplat.dll Sat Dec 18 2004 4:05:44p ..S.R 224,884 219.61 K

22 items found: 22 files, 0 directories.
Total of file sizes: 4,940,656 bytes 4.71 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\cqoczq.dll: updates.qoologic.com
C:\WINDOWS\system32\enbeun.dll: updates.qoologic.com
C:\WINDOWS\system32\hawhma.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\pkbpyk.dat: .aspack
C:\WINDOWS\system32\wgrwog.exe: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hithpi.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"WCOLOREAL"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"CPQEASYACC"="C:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"
"NAV Agent"="c:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb09.exe"
"HPHUPD05"="C:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe\""
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"VTPreset"="VTPreset.exe"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"Narrator"="C:\\WINDOWS\\system32\\wgrwog.exe"



  • 0

#4
zombie/blood

zombie/blood

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
i
  • 0

#5
zombie/blood

zombie/blood

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
¿
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.

C:\WINDOWS\system32\fn2021fmg.dll
C:\WINDOWS\system32\l46o0ej3eho.dll
C:\WINDOWS\system32\idfxdev.dll
C:\WINDOWS\system32\s4pu0e79eh.dll
C:\WINDOWS\system32\j6n2lg5o16.dll
C:\WINDOWS\system32\lv2m09f1e.dll
C:\WINDOWS\system32\p28q0cl5efq.dll
C:\WINDOWS\system32\aza2lafo1d2c.dll
C:\WINDOWS\system32\d6j0lg1m16.dll
C:\WINDOWS\system32\fp4803hue.dll
C:\WINDOWS\system32\d8j02i1mg8.dll
C:\WINDOWS\system32\uyiplat.dll
C:\WINDOWS\system32\i0nm0a51ed.dll
C:\WINDOWS\system32\h20qlcd51f0.dll
C:\WINDOWS\system32\k4pm0e71eh.dll
C:\WINDOWS\system32\e0jmla111d.dll
C:\WINDOWS\system32\q4nu0e59eh.dll
C:\WINDOWS\system32\g022lafo1d2c.dll
C:\WINDOWS\system32\dnl0013me.dll
C:\WINDOWS\system32\lv0m09d1e.dll
C:\WINDOWS\system32\h6l2lg3o16.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\e6020gdoe60c0.dll
C:\WINDOWS\system32\cqoczq.dll
C:\WINDOWS\system32\enbeun.dll
C:\WINDOWS\system32\hawhma.exe
C:\WINDOWS\system32\pkbpyk.dat
C:\WINDOWS\system32\wgrwog.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hithpi.exe <= save till last

After the reboot copy and paste the text in bold below into a text editor such as Notepad.
Save this text as FixVX2.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on FixVX2.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D4AB63E5-08ED-40A6-8E2E-856BF7D2ECC9}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Narrator"=-


Download VX2Finder from:
http://www.downloads...g/VX2Finder.exe
Run it and use the Restore Policy button

Then copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.

Post back with a HijackThis log.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP