MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Infections will not allow accerss to removal tools
November 14, 2019, 12:20:12 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 14, 2019, 12:20:12 PM

Login with username, password and session length
 Featured Sites:
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Infections will not allow accerss to removal tools  (Read 2783 times)
daisy15
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 22


Bookmark and Share

View Profile
« on: October 25, 2004, 07:47:02 PM »

My friend's computer is infected with IstBar and Kazaa.   She could only use HouseCall which showed 18 infections and cleared up all but these two.  When she tries to download ANY protection, the grey download and save box will not come up.  Instead there is a grey box with strange symbols in it.  Even the Kazaa poatch will not load.<P>Is it possible that these meanies are blocking her access?  If so, what can she do about it short of reformatting which she does not want to do because she has some pricey medical record keeping programs that she will have to pay to reinstall. (She's a doctor)  She can't even download Hijack This!<P>Any help appreciated.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: October 25, 2004, 09:18:19 PM »

Hi again Daisy, is there any way you can download Hijackthis to a floppy
and transfer it to that computer and then post a log

Can you email her Hijackthis?
She will have to allow attachments
I'll assume she's using Outlook Express, Open OE---Tools---Security tab
Her Hosts file could be overwritten, hijackthis can help with that too

Logged

 
paperdragon
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 2


Bookmark and Share

View Profile
« Reply #2 on: October 26, 2004, 03:21:15 AM »

Logfile of HijackThis v1.98.2
Scan saved at 9:31:23 PM, on 10/25/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\EMUSIC\EMUSICCLIENT.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xxxtoolbar.com/ist/scripts/searchpages_manager.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.mys*x.org/index.php?id=script
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: CSBHO Class - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRAM FILES\COMET\BIN\CSBHO.DLL
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\STOOLBAR.DLL (file missing)
O2 - BHO: SNHlprObj Class - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL (file missing)
O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\FR03T.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\SYSTEM\MSHELPER.DLL (file missing)
O2 - BHO: DoesManagerItch - {12001F8E-AE6A-3C2D-1953-655E976D9B6D} - C:\PROGRAM FILES\DENT CREATIVE\BARBCAST.DLL
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1500.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRAM FILES\COMET\BIN\CSIETB.DLL
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL
O3 - Toolbar: (no name) - {6A85D97D-665D-4825-8341-9501AD9F56A3} - (no file)
O3 - Toolbar: DEAFINTRA - {242D3895-F16F-4A71-5E3A-9137EFBF9A95} - C:\PROGRAM FILES\DENT CREATIVE\BARBCAST.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [eMusicClient Systray] C:\Program Files\eMusic\eMusicClient.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1500.DLL
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149031 (file missing)
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

Logged

 
daisy15
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 22


Bookmark and Share

View Profile
« Reply #3 on: October 26, 2004, 03:26:12 AM »

benditup.................Thanks!  Paperdragon is my friend's HJT Log.  I took the floppy down to her and she was able to get it onto her computer.Cheesy
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #4 on: October 26, 2004, 05:19:59 AM »

This computer has many problems Shocked

If you can somehow manage, can you download and save to desktop
or transfer from another computer CWShredder
Don't try and run it from a floppy

Transfer it to the desktop
You may also want to make a permanent folder for hijackthis on the infected computer and copy and paste hijackthis from floppy to the new folder

Access your Add/Remove Programs and Uninstall if found
Lycos SideSearch
Comet Cursor
IPInsigt
MSIETS
Internet 404
Tools for Internet Explorer
AM Server
CtxPls
POP
SysAI
Orbit
F1' or 'ZZ
RESTART your computer if Anything Removed

Also look for these next ones

Search Toolbar
Web Search Toolbar
Win-Tools Easy Installer
Restart your computer after you have removed the above 3 only after you uninstalled them all, if they all exist


On Restart, stay disconnected from the Internet
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed, including this one

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nnsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.xxxtoolbar.com/ist/scripts/searchpages_manager.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.mys*x.org/index.php?id=script
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://nnsearch.biz/

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O2 - BHO: CSBHO Class - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRAM FILES\COMET\BIN\CSBHO.DLL
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {0A5CF411-F0BF-4AF8-A2A4-8233F3109BED} - C:\PROGRA~1\SEARCH~1\STOOLBAR.DLL (file missing)
O2 - BHO: SNHlprObj Class - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\PROGRAM FILES\SRNG\SNHELPER.DLL (file missing)

O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\FR03T.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\SYSTEM\MSHELPER.DLL (file missing)
O2 - BHO: DoesManagerItch - {12001F8E-AE6A-3C2D-1953-655E976D9B6D} - C:\PROGRAM FILES\DENT CREATIVE\BARBCAST.DLL

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O2 - BHO: MultimppObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1500.DLL

O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRAM FILES\COMET\BIN\CSIETB.DLL
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL
O3 - Toolbar: (no name) - {6A85D97D-665D-4825-8341-9501AD9F56A3} - (no file)
O3 - Toolbar: DEAFINTRA - {242D3895-F16F-4A71-5E3A-9137EFBF9A95} - C:\PROGRAM FILES\DENT CREATIVE\BARBCAST.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com/?fref=149031 (file missing)

O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)


After you have Fix Check and closed hijackthis
Open Up Just CWShredder and let it FIX all problems

RESTART your computer

If you can, could you
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or later
If you don't have this verision, uninstall yours and install this one
After installation-CHECK FOR UPDATES
Do a Full system scan----Remove All Critical objects
RESTART your computer to finish the cleaning process

Post back with a fresh hijackthis log afterwards
If you happen to lose Internet connection completely we will have to download a fix for it, but I don't see this happening

could you also open Hijackthis>>>Config>>Misc Tools>>Open Hosts File Manager>>>Click the Open in Notepad
Copy and paste the contents of notepad back here too
Logged

 
daisy15
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 22


Bookmark and Share

View Profile
« Reply #5 on: October 26, 2004, 06:35:49 PM »

benditup....................You're magic!!! ;DAs you can see, my friend and I were up very late doing exactly as you instructed and guess what----Her machine is flying.  She is on cable and her downloads were almost instant, just as they should be.  Do you see anything else that we should do?

BTW, thanks to you, my machine is flying too, 94% on boot up this morning. Cool  We are now officially "benditup" groupies!;D

Hijackthis Log

Logfile of HijackThis v1.98.2
Scan saved at 2:19:01 AM, on 10/26/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
A:\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


Hijackthis>>>Config>>Misc Tools>>Open Hosts File Manager>>>Click the Open in Notepad:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: October 27, 2004, 03:59:21 PM »

Your hosts file looks ok....
Careful, what you remove with hijackthis
I can't see anything you removed, besides the ones I mentioned, that would do you any harm, most will be reinstalled if needed
Hold on to the backups that hijackthis made until everything is running real smooth

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In notepad, click File>>Save as
Name the file as search.reg
Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet
This will restore your default search settings

quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed
R3 - Default URLSearchHook is missing

You may want to Restart your computer into SAFE MODE

See if you can find any of these and delete them if they exist
C:\WINDOWS\IPINSIGT.DLL <--file
C:\WINDOWS\SYSTEM\FR03T.DLL <--file
C:\WINDOWS\MULTIMPP.DLL <--file
C:\WINDOWS\SYSTB.DLL <--file

C:\PROGRAM FILES\COMET <--folder
C:\PROGRAM FILES\XUPITER <--folder
C:\PROGRAM FILES\DENT CREATIVE <--folder, let me know if there's any other files in this folder if you can find it, if there is , don't remove it yet, but let me see the file names

Well in safe mode, navigate to your Temp folders and delete the Whole contents, or whatever you can, but Don't delete the temp directories themselves
C:\Windows\Temp <--delete the contents
C:\Windows\Temporary Internet Files <--delete the contents

Double click on search.reg and allow it to merge to the registry

RESTART back into Normal Mode
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Also Reset home page

Ad-Aware is a great spyware removal tool, hold onto it and update it every couple of weeks and run a scan
Spybot S&D 1.3 is another popular removal tool
I have both, you may want to download this one too
After installation, SEARCH FOR UPDATES
Download All updates
Check for Problems---FIX everything in RED

Restart your computer to finish the cleaning

You should install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks

Stay safe daisy and PaperDragon Smiley
Groupies Embarrassed>>Take care
Logged

 
paperdragon
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 2


Bookmark and Share

View Profile
« Reply #7 on: November 14, 2004, 08:17:47 AM »

Finally back. Followed your instructions. copied the quote into notepad and saved it to desktop. when i restarted my computer in safe mode i found XUPITER and deleted it. Also found, DENT CREATIVE, did not delete, but opened it. Inside was something called SAFEFREE. Went to temporary internet files and was able to delete all but 46 files. Then went to search.reg folder on the desktop and tried to allow it to merge to the registry. It said the files were not the right type and it couldn't do it. Downloaded Spybot S & D and fixed everything in red, downloaded Spyware Blaster, downloaded IE-Spyad and did a new Hijack This Log. Is it soup, yet? Cheesy

Logfile of HijackThis v1.98.2
Scan saved at 1:50:40 AM, on 11/14/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXE
A:\HIJACKTHIS.EXE
A:\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: November 14, 2004, 08:42:53 AM »

Not much left,but what there is left is clean.....
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 17, 2018, 04:15:24 AM