Tech Support Forum - View Single Post - Hijackthis log - Nasty CWS about:blank hijacker, and more!

**Omerr** · 07-10-2005, 01:15 PM

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process.

Download AboutBuster and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Download CWSserviceRemove and unzip it to your desktop. It'll create a file called cwsserviceremove.reg. Do NOT run this yet.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Go to Start->Run and type in services.msc and hit OK. Then look for the following service:

Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I)
Double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\addke.exe
C:\WINDOWS\system32\javacy.exe

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - C:\WINDOWS\mfczv32.dll
O4 - HKLM\..\Run: [nttd32.exe] C:\WINDOWS\system32\nttd32.exe
O4 - HKLM\..\Run: [ntgx.exe] C:\WINDOWS\system32\ntgx.exe
O4 - HKLM\..\Run: [javacy.exe] C:\WINDOWS\system32\javacy.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\addke.exe

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file.

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED if they still exist:

C:\WINDOWS\addke.exe
C:\WINDOWS\system32\javacy.exe
C:\WINDOWS\mfczv32.dll
C:\WINDOWS\uupse.dll
C:\WINDOWS\system32\nttd32.exe
C:\WINDOWS\system32\ntgx.exe

Double-click on the cwsserviceremove.reg file you unzipped to your desktop earlier. When it prompts to merge, click Yes. This will clear some registry entries left behind by the malware infections.

Reboot your system in Normal Mode.

Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log.

Please scan again with HijackThis to get a new log.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Now give us a new HijackThis Analyzer log, together with Panda ActiveScan’s log and AboutBuster’s log, so we can make sure your system is clean.

07-10-2005, 01:15 PM	#3 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Please do NOT change any of those settings until we finish the fixing process. Download AboutBuster and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now. Download CWSserviceRemove and unzip it to your desktop. It'll create a file called cwsserviceremove.reg. Do NOT run this yet. Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Go to Start->Run and type in services.msc and hit OK. Then look for the following service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) Double click on it. Click on the Stop button and under Startup type, choose Disabled. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\WINDOWS\addke.exe C:\WINDOWS\system32\javacy.exe Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uupse.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\uupse.dll/sp.html#28129 R3 - Default URLSearchHook is missing O2 - BHO: Class - {97AB2DB6-2797-5E66-F69B-1C10B62342C2} - C:\WINDOWS\mfczv32.dll O4 - HKLM\..\Run: [nttd32.exe] C:\WINDOWS\system32\nttd32.exe O4 - HKLM\..\Run: [ntgx.exe] C:\WINDOWS\system32\ntgx.exe O4 - HKLM\..\Run: [javacy.exe] C:\WINDOWS\system32\javacy.exe O15 - Trusted Zone: .frame.crazywinnings.com O15 - Trusted Zone: .frame.crazywinnings.com (HKLM) O23 - Service: Workstation NetLogon Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\addke.exe Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file. *Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED if they still exist: C:\WINDOWS\addke.exe C:\WINDOWS\system32\javacy.exe C:\WINDOWS\mfczv32.dll C:\WINDOWS\uupse.dll C:\WINDOWS\system32\nttd32.exe C:\WINDOWS\system32\ntgx.exe Double-click on the cwsserviceremove.reg file you unzipped to your desktop earlier. When it prompts to merge, click Yes. This will clear some registry entries left behind by the malware infections. Reboot your system in Normal Mode. Please use Panda ActiveScan at http://www.pandasoftware.com/products/activescan. Give us the scan’s log. Please scan again with HijackThis to get a new log. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Now give us a new HijackThis Analyzer log, together with Panda ActiveScan’s log and AboutBuster’s log, so we can make sure your system is clean. __________________ I am here in order to help you.