1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Home Search (and what suddenly seems like 1000 new files)

Discussion in 'Virus & Other Malware Removal' started by Draven2345, Jan 30, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Draven2345

    Draven2345 Thread Starter

    Joined:
    Jun 27, 2004
    Messages:
    4
    I have this Homesearch thing and it's driving me crazy. Went into safe mode, ran SpyWare Search and Destroy, AdAware6, Blaster, and HS Remove (as well as Norton), then ran a Hijack file. Killed the files (if I could find them) for anything that wasn't there before, as well as checked it off of Hijack. Went into normal, loaded up Windows......and I still have it. Here is my log. God please help me get rid of this, it's absolutely annoying as all hell. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:24:47 PM, on 1/29/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iRiver\Service\MLService.exe
    C:\Program Files\iRiver\Service\Updater.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\mfcjv.exe
    C:\WINDOWS\atlfl32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Main\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rwfxk.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rwfxk.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rwfxk.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rwfxk.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rwfxk.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rwfxk.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rwfxk.dll/sp.html#12345
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\1uq3qwlo.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\1uq3qwlo.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {938EA715-0A71-38BD-176F-1ADA2F961E86} - C:\WINDOWS\mfcmq.dll
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
    O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
    O4 - HKLM\..\Run: [atlfl32.exe] C:\WINDOWS\atlfl32.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Windows.hta
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.3558449074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    hi, You will have to get the newer version of Hijackthis, which shows more things than the outdated one...

    Would like to have you post a log from HijackThis, a program (very tiny) that we use to see what problems exist.

    There are directions here to do it: There are .zip form and .exe form, take your pick.

    Download it here:

    http://radiosplace.com/

    Or here.


    It's a direct download so be ready with the folder for it.

    Basically, you create a new folder, the desktop is OK provided you MAKE A FOLDER, name it something like HJT, and download TO that folder, run hijackthis.exe from there. If there are users of the computer who might start HJT and use it, hide the program in a folder elsewhere!

    What you have is an about:blank infection, it is a nasty CWS type that cannot be fixed by the common removal programs, but with help from someone here you will be able to....looks like tomorrow though> too late today unless someone comes by who can deal with this.

    Around 7-8AM Eastern US time they will be back here.
     
  3. Draven2345

    Draven2345 Thread Starter

    Joined:
    Jun 27, 2004
    Messages:
    4
    Ok, here it is with the latest and greatest Hijack Ths version:

    Logfile of HijackThis v1.99.0
    Scan saved at 4:02:01 PM, on 1/30/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iRiver\Service\MLService.exe
    C:\Program Files\iRiver\Service\Updater.exe
    C:\WINDOWS\atlfl32.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\mfcjv.exe
    C:\Program Files\World of Warcraft\WoW.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Main\Desktop\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\1uq3qwlo.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Main\Application Data\Mozilla\Profiles\default\1uq3qwlo.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {41E7FA47-D78C-1C6C-0345-D6F242B53680} - C:\WINDOWS\system32\atlgn32.dll
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
    O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
    O4 - HKLM\..\Run: [atlfl32.exe] C:\WINDOWS\atlfl32.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Windows.hta
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: 206.161.125.149 (HKLM)
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\sqlgoim.dll
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
    O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\mfcjv.exe
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, If you notice, after some restarts the file name in the about/blank hijack changes...so, to avoid having to do fixing from the start over again, try not to restart the computer until the directions posted tell you to. If anything freezes up, you will have to, just post what happened and what you were doing when the freezeup happens, maybe none will, OK?

    Some or most of the work will be done in Safe Mode, where you will not have Internet to read these posts, to check threads, etc. You will have to get the downloads first, and also copy and paste all these steps into a Notepad text file so you can have them handy in Safe Mode, (save as a TSGhelp.txt file to the desktop) Or, you can print them out if you like to use paper and ink...

    Safe Mode> when you restart the computer, when you first see text on your screen, start tapping the F8 key, when you see the startup menu, select "Safe Mode" with arrow key, (nothing else plain Safe Mode) and hit the Enter key once...give it plenty of time to get to the desktop.
    ______________

    Download all of these please:

    DelDomains:

    http://www.mvps.org/winhelp2002/DelDomains.inf

    Save it for later, do not run it now.

    cwsserviceremove.zip >unzip it to your desktop and have it ready to run later.


    http://forums.techguy.org/attachment.php?attachmentid=38111


    Downloads: Killbox ( all are at subratam.org below)

    AboutBuster

    CWShredder Here:

    http://www.subratam.org/?page=removal


    AboutBuster> unzip the files to the desktop, but do not run it now! Will be used later.

    KillBox> Unzip the file to your desktop to have ready to run later. (We are big on "later" hmmm?)

    AdAware SE personal edition: You said you have 6.0, this is no longer updated, retired so get SE v. 1.05

    SpyBot Search and Destroy v. 1.3 <note, need this version

    If you have 1.2 or other, uninstall that first.

    http://www.majorgeeks.com/download506.html

    AdAware and SpyBot need to be updated even though you are just installing them, much like antivirus programs.
    There may be updates for one, not the other, depends on what build the server you connect to has for you...you must check for these updates though!

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    Close AdAware as we are going to use it later, not now.

    SpyBot:
    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Close that up, same we run this later on! These programs cannot fix the about/blank hijack.

    _______________


    Now go ahead and set your computer to show hidden files like so:

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"
    ____________

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
    _____________

    Click Start > Run > and type in:

    services.msc

    Click OK.

    In the services window find "Network Security Service (NSS)"

    Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility. CAUTION!!!!! There are other services that are very similar to the above, make sure you have the one above, Network Security Service ...NSS!!!!!!!!!!
    ______________

    Restart to safe mode.
    Perform the following steps in safe mode:

    Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry. This is the file created when you unzipped cwsserviceremove.zip:

    Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

    Put a check by these entries in Hijack This and click the "Fix Checked" button:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {41E7FA47-D78C-1C6C-0345-D6F242B53680} - C:\WINDOWS\system32\atlgn32.dll

    O4 - HKLM\..\Run: [atlfl32.exe] C:\WINDOWS\atlfl32.exe

    O20 - AppInit_DLLs: C:\WINDOWS\System32\sqlgoim.dll


    Next, using Windows Explorer, find the files shown at ends of the paths below, delete them:



    C:\WINDOWS\atlfl32.exe
    C:\WINDOWS\System32\sqlgoim.dll
    C:\WINDOWS\system32\atlgn32.dll
    C:\WINDOWS\system32\wdyhn.dll/sp.html#12345
    C:\WINDOWS\mfcjv.exe

    Next: Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Next navigate to the C:\Documents and Settings\Administrator (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    __________

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
    _____

    Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
    ____

    Restart, you will be back in regular Windows...

    Run AdAware SE full scan and restart.

    Run SpyBot full scan and restart.

    _____________________________
    You must go here, and do a full scan:


    http://housecall.antivirus.com/housecall/start_corp.asp

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.
    _______________

    Now, run Deldomains.inf by right-clicking and select "Install", NOTE: If you have sites in your Trusted Zone in IE Security zones, you will have to reenter those URLs later! It is the only way to get rid of the bad Trusted Sites....
    ______________________________________
    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from http://members.aol.com/toadbee/hoster.zip

    UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.
    ____________

    If you have Spybot S&D installed 9and you do!) you will also need to replace one file.
    Go to: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper

    and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder.
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open the System32 folder and right click on an empty space in the window. Choose Paste from the menu.

    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system32

    If control.exe isn't there, go to: http://www.spywareinfo.com/~merijn/winfiles.html

    and download control.exe per the instructions at the site.

    Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here:

    http://www.jfitz.com/tips/ie_security_config.html

    There will be some more work to do, as I did not have you remove certain things just now- please post the new HJT log.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324817

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice