1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

major infection that won't clean up

Discussion in 'Virus & Other Malware Removal' started by jfnewbie, Jan 23, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. jfnewbie

    jfnewbie Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    64
    Hi there, you guys really helped me out last time, especially thanks to Cheeseball. I'm trying to help my roommate with his lap top which is infected and I can't seem to clean up. I ran clean up and it can't finish the job because it shuts down due to an error. Adaware freezes. Ewido closes due to an error on thorough scans. The spyware it cleans, as well as spybot, reinstalls itself as soon as it gets cleaned. Clearly whatever is on there is written to prevent it from being removed and reinstalls all kinds of spyware. His computer often runs OK. It is usually rather slow. And then it can crash at times, actually usually it is just the browser. The browser often gets hijacked. God knows what else happens. Should he be worried about identity theft? Anyway, I ran a Hijack this scan. Here are the results.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:14:59 AM, on 2/13/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Network Associates\System Compliance Profiler\PtchScan.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
    R3 - URLSearchHook: (no name) - {DA9BAA20-22D0-E9B8-2A39-86A9A97E5BE1} - jopplerg.dll (file missing)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\iylhgeux.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Class - {0F2536AB-254C-489F-1F19-D52DA6A69AED} - C:\WINDOWS\sdkom.dll (file missing)
    O2 - BHO: Class - {1A73479F-2785-CF6C-EAB8-9261C8D3F612} - C:\WINDOWS\system32\crgb.dll (file missing)
    O2 - BHO: Class - {235BB622-FF77-BB28-6008-2397626D0690} - C:\WINDOWS\d3dx32.dll (file missing)
    O2 - BHO: Class - {2CB520AE-3E8A-9E46-3B7B-D00337286F67} - C:\WINDOWS\system32\apikp.dll (file missing)
    O2 - BHO: Class - {44FBFC2A-41BD-CD32-8BA8-DF391F9FC39A} - C:\WINDOWS\system32\ntun.dll (file missing)
    O2 - BHO: Class - {4EB6319E-49FF-C8C6-FBBF-07BAC7CCFC75} - C:\WINDOWS\crhk32.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Class - {5DB4FA6D-8DF7-FEDD-6004-A7710DCAC5DE} - C:\WINDOWS\netib32.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Class - {83FF5591-CD8F-9D60-2B05-852B04CC6AA3} - C:\WINDOWS\apimi32.dll (file missing)
    O2 - BHO: Class - {A0F0D78A-020A-AAD0-3225-155F0E711A52} - C:\WINDOWS\system32\netao32.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
    O2 - BHO: Class - {B2499FC4-394E-BB59-F460-5927910CA03B} - C:\WINDOWS\ipwr.dll (file missing)
    O2 - BHO: Class - {D3175C23-4C71-3BCB-FB33-5631721147A7} - C:\WINDOWS\system32\msfm32.dll (file missing)
    O2 - BHO: Class - {E5F30F05-DCAD-6BE4-2C0E-2FC5E9253770} - C:\WINDOWS\sysgw.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [gabber] iesetupdll.exe
    O4 - HKLM\..\Run: [killall] startman.exe
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [dmzyd.exe] C:\WINDOWS\System32\dmzyd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O4 - HKCU\..\Run: [driver32] stuffmon.exe
    O4 - HKCU\..\Run: [systemdll] media64.exe
    O4 - HKCU\..\Run: [nmdllw] prgsys0984.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bc.edu/schools/law/lawreviews/meta-elements/journals/wfplayer/tdserver.cab
    O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.chm::/MegaInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124804428373
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CCS\Services\Tcpip\..\{967412A2-982C-43B0-ADF6-01BABC58ADAC}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D001C00D-3DED-4613-8528-948B38A7F436}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)

    ANy help is appreciated
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hiya :)

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

    At the end of the fix, you may need to restart your computer again.

    Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new Hijack This log.
     
  3. jfnewbie

    jfnewbie Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    64
    Hi Cheeseball. Followed your instructions. Upon reboot, all we got is a a report. When we closed it, nothing happened. Let us know if we missed a step. Here is the Fixware report:


    Fixwareout ver 1.003
    Last edited 1/12/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1dedoc
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llams_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ytpme
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\domdnb
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\orcimlh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Search by size and names...

    »»»»» Misc files

    »»»»» Checking for older varients covered by the Rem3 tool

    Here is the hijack report (note, my roommate did delete stuff using hijack on his own prior to Fixware:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:43:17 PM, on 2/13/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\iylhgeux.slt\prefs.js)
    O4 - HKLM\..\Run: [killall] startman.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CCS\Services\Tcpip\..\{967412A2-982C-43B0-ADF6-01BABC58ADAC}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D001C00D-3DED-4613-8528-948B38A7F436}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130
    O17 - HKLM\System\CS2\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    The Hijack This log is much smaller than the original. Were items fixed already?
     
  5. jfnewbie

    jfnewbie Thread Starter

    Joined:
    Jan 9, 2005
    Messages:
    64
    Yes, I thought I had written that my roommate actually went ahead on his own and used Hijack This to delete some processes, even though I told him not to until I hear from one you. I wrote that in my last reply, but somehow it did not post??? Sorry. Anyway, yeah, he deleted a bunch of stuff. He seemed obvious to him what belonged there and what didn't, for the most part. Let me know if he screwed himself up.

    Also, as mentionned, I followed your intructions and upon reboot, nothing appeared to happen.
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Well, he definitely fixed a few that didn't need to be fixed (like his anti-virus protection!)

    Download KillBox here: http://www.downloads.subratam.org/KillBox.exe
    Save it to your desktop.
    DO NOT run it yet.

    Click Start – Run - and type in:

    services.msc

    Click OK.

    In the services window find: Windows Update Service

    Right click and choose Properties. On the General tab under Service Status click the Stop button to stop the service. Beside Startup Type in the dropdown menu select Disabled. Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O4 - HKLM\..\Run: [killall] startman.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130

    O17 - HKLM\System\CCS\Services\Tcpip\..\{967412A2-982C-43B0-ADF6-01BABC58ADAC}: NameServer = 85.255.115.58,85.255.112.130

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D001C00D-3DED-4613-8528-948B38A7F436}: NameServer = 85.255.115.58,85.255.112.130

    O17 - HKLM\System\CS1\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130

    O17 - HKLM\System\CS2\Services\Tcpip\..\{5439E6AF-1E6B-434D-B743-6D3F44D50410}: NameServer = 85.255.115.58,85.255.112.130

    O23 - Service: Windows Update Service (wuamgrd) - Unknown owner - C:\WINDOWS\System32\wuamgrd.exe (file missing)


    Exit Hijack This.

    * Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

    Double-click the Network Connections icon
    Right-click the Local Area Connection icon and select Properties.
    Higlight Internet Protocol (TCP/IP) and click the Properties button.
    Be sure Obtain DNS server address automatically is selected.
    OK your way out.


    * Go to Start > Run and type in cmd
    Click OK.
    This will open a command prompt.
    Type or copy and paste the following line in the command window:

    ipconfig /flushdns


    Hit Enter.
    Exit the command window.

    Boot into Safe Mode.

    * Double-click on Killbox.exe to run it.

    Put a tick by Standard File Kill.
    In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINDOWS\System32\iesetupdll.exe
    C:\WINDOWS\System32\startman.exe
    C:\WINDOWS\System32\dmzyd.exe
    C:\Program Files\UnSpyPC
    C:\WINDOWS\System32\stuffmon.exe
    C:\WINDOWS\System32\media64.exe
    C:\WINDOWS\System32\prgsys0984.exe


    Click on the button that has the red circle with the X in the middle after you enter each file.
    It will ask for confirmation to delete the file.
    Click Yes.
    Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    Killbox may tell you that one or more files do not exist.
    If that happens, just continue on with all the files. Be sure you don't miss any.
    Next in Killbox go to Tools > Delete Temp Files
    In the window that pops up, put a check by ALL the options there except these three:
    XP Prefetch
    Recent
    History
    Now click the Delete Selected Temp Files button.
    Exit the Killbox.

    Finally go to Control Panel > Internet Options.
    On the General tab under "Temporary Internet Files" Click "Delete Files".
    Put a check by "Delete Offline Content" and click OK.
    Click on the Programs tab then click the "Reset Web Settings" button.
    Click Apply then OK.

    Empty the Recycle Bin.

    Reboot, post a new log.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436428

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice