Need help with hijacked computer and stubborn spyware please
--------------------------------------------------------------------------------
Hello,
Unfortunatly, my homepage was hijacked. I have run CWS, Spybot, adaware, ect. and I can not get it to budge! I would REALLY appriciate help on this. Thanks to any brilliant mind that helps.
Oh yea, BTW, i dont have a clue what the log means, does, or how it needs to be fixed.
Here is my hijack this log:
Logfile of HijackThis v1.99.0Scan saved at 2:02:01 PM, on 12/20/2004Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
..........................................................
Hi AndrewZ,
Please follow all instructions in the order they are presented, or the fix will not work!
You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet and in safe mode while performing this fix
Download Ad-Aware SE Personal Edition version 1.05 from:
http://www.lavasoft.de/support/download/
Run Adaware, click the "Check for Updates now" link. Install the latest reference file
Just update it for now, you will scan with it later!
Next...
Please download AboutBuster 4.0
http://downloads.subratam.org/AboutBuster.zip
Save it to a new folder such as a C:\AboutBuster
Unzip it and run AboutBuster.exe. Then hit Ok, note that there is now an update button. Hit update and 'Check for Update'. If there is a newer version hit 'Download Update'.
Just update it for now, we will use it later!
Next...
Boot into Safe Mode. Restart your computer, start tapping F8 when your computer first starts booting, select Safe Mode.
Make sure your computer is configured to show all files and folders.Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.Uncheck hide extensions for known file types.Uncheck the Hide Protected Operating System Files option.Click Yes to confirm.Click OK.
Go to Start > Run and type "Services.msc" (without the quotes) then hit Ok. Scroll down and find the service called:
Network Security Service
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.
Next...
Press control-alt-delete to get into the Task Manager and end the follow processes if they exist:
system.ini:lwteb
Next...
Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yesdk.dll/sp.html#37680R3 - Default URLSearchHook is missingO2 - BHO: (no name) - {39003147-0564-FC80-401D-657710C0FEE1} - C:\WINDOWS\winnv32.dllO2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\ZxCfU.dllO4 - HKLM\..\Run: [ZbybL] C:\documents and settings\chris\local settings\temp\ZbybL.exeO4 - HKLM\..\Run: [ZLIzGvAS] C:\documents and settings\chris\local settings\temp\ZLIzGvAS.exeO4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exeO4 - HKLM\..\Run: [nettb.exe] C:\WINDOWS\system32\nettb.exeO4 - HKLM\..\RunOnce: [d3gs.exe] C:\WINDOWS\d3gs.exeO4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Chris\Application Data\rrup.exeO4 - HKCU\..\Run: [Pbphii] C:\WINDOWS\System32\l?gonui.exeO15 - Trusted Zone: *.awmdabest.comO15 - Trusted Zone: *.awmdabest.com (HKLM)O15 - Trusted IP range: 206.161.125.149O15 - Trusted IP range: (HKLM)O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/18af265b80b881d3b417/netzip/RdxIE601.cabO23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\ieym.exe (file missing)
These are resource hogs that can be fixed also:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Search for and delete the following files:
C:\WINDOWS\winnv32.dllC:\Documents and Settings\Chris\Local Settings\Temp\ZxCfU.dllC:\documents and settings\chris\local settings\temp\ZbybL.exeC:\documents and settings\chris\local settings\temp\ZLIzGvAS.exeC:\WINDOWS\system32\nettb.exeC:\WINDOWS\d3gs.exeC:\Documents and Settings\Chris\Application Data\rrup.exe
Search for and delete the following folders:
C:\Program Files\Windows ServeAd < delete the entire Windows ServeAd folder
Next...
Go to Start-> Run and type Regedit then click Ok.Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servicesand highlight Services in the left pane. In the right pane, look for any these entries named as:
O? ’ŽrtñåȲ$Ó or N S Service
If any are listed, right-click that entry in the right pane and choose Delete
Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for any entries like this:
LEGACY ½ O? ’ŽrtñåȲ$Ó or LEGACY N S Service
If you find it, right-click it in the right-pane and choose delete.
If you have trouble deleting a key, then click once on the key name to highlight it and click on the Permission menu option under Security or Edit.Then Uncheck "Allow inheritable permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.
Browse to C:\AboutBuster and run aboutbuster.exe. If the tool asks you to perform a second pass, allow it to do it. Please copy and paste the final AboutBuster log to a text file and save it on your desktop.
Next...
Copy the contents of the Quote Box to Notepad. Name the file as fix.reg. Change the Save as Type to All Files. Save this file on the desktop
Quote:REGEDIT4[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]
Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
Next...
Perform a "Full system scan" with Adaware. Allow it to remove anything it finds.
Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following:
Temporary Internet FilesRecycle BinTemporary Files
Then click OK.
Reboot normally.
Next...
I would like you to perform an onlne virus scan at Trend Micro
http://housecall.trendmicro.com/
Select all of your drives for scanning. Please check "Auto clean" before scanning.
If you can, copy and paste the report logs from the scan into your next post along with the AboutBuster log and a fresh HijackThis log..
Tom__________________HijackThisAd-awareSpybot Search & DestroySpywareBlasterSpywareGuard
..............................................................Another method is this Download:Cwshredder: http://danborg.org/spy/CWS/cwshredder.exeAdware http://www.lavasoftusa.com/support/download/Spybot: http://www.safer-networking.org/en/download/index.htmlDownload this scanner – mwav exe : http://home9.inet.tele.dk/le01/Sikkerhed.htm Show hidden files: http://www.xtra.co.nz/help/0,,4155-1916458,00.html= Disable System Restorehttp://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm Go to Add Remove Programs in control panel, and find, if present: Windows ControlAd - remove it Please go offlineIn the HijackThis program, place a check mark next to the following entries.R3 - Default URLSearchHook is missingO2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLLO2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\3euhi9j.dllO4 - HKLM\..\Run: [abu] abu.exeO4 - HKLM\..\Run: [rwjnvampmcvsx] C:\WINDOWS\System32\dizfcg.exeO4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exeO4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exeO4 - HKLM\..\RunOnce: [40rg29.exe] C:\WINDOWS\System32\40rg29.exe /kO4 - HKCU\..\RunOnce: [40rg29.exe] C:\WINDOWS\System32\40rg29.exe /kO16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=d5ce257857a083868c1f4672b0407c8b9379fe5496c0e7d74dd5b79e931ad6d6d9b0f3669e53e51b8fba848fa8088c3fc64cb0edfedca287d6c4c1b056f368
Press the "Fix checked" button. Then close HijackThis. Reboot into Safe Mode - hit F8 key untill menu shows upFind and delete:C:\PROGRA~1\SEARCH~1\SEARCH~2.DLLC:\WINDOWS\system32\3euhi9j.dllC:\WINDOWS\System32\dizfcg.exeC:\WINDOWS\satmat.exeC:\Program Files\Windows ControlAd\WinCtlAd.exeC:\WINDOWS\System32\40rg29.exe
Run the mwav scanner:Activate all, in settings- Scan
Spybot, click on the Immunize button. Then "Scan System" button. When the Check is over, fix all marked with red
AdwarePush STARTPerform full system scan. NEXTTo fix all the bad critical objects do the following: Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.
Run cwshredder, close all other windows-Fix RebootGo to Start Run and type: cleanmgr.exe and hit enter. When prompted what drive to clean select your hard drive c: If asked what folders to clean in a list, tick them all to clean all temp folders, downloaded program folders, temporary internet files, etc., and the recycle/trash bin.
No comments:
Post a Comment