Tech Support Forum - View Single Post

MicroBell · 07-12-2005, 09:35 PM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/actives..._principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove Open Site if listed. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R3 - Default URLSearchHook is missing
O1 - Hosts: comments (such as these) may be inserted on individual
O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe
O4 - HKLM\..\Run: [hidden31] c:\winnt\system32\drivers\etc\hidden31.exe c:\winnt\system32\drivers\etc\svhost.bat
O4 - HKLM\..\Run: [hidden] c:\winnt\system32\drivers\etc\hidden.exe c:\winnt\system32\drivers\etc\startd.bat
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS)

c:\winnt\system32\drivers\etc\rundll32.exe
c:\winnt\system32\drivers\etc\hidden31.exe c:\winnt\system32\drivers\etc\svhost.bat
c:\winnt\system32\drivers\etc\hidden.exe c:\winnt\system32\drivers\etc\startd.bat
C:\Program Files\Open Site\opnste.exe

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not

07-12-2005, 09:35 PM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK. Please go to at least two of these sites and run an online Virus Scan. Be sure to have the AutoFix box(es) checked. http://housecall.trendmicro.com/ http://www3.ca.com/virusinfo/virusscan.aspx http://www.pandasoftware.com/actives..._principal.htm http://www.bitdefender.com/scan/license.php http://us.mcafee.com/root/mfs/default.asp http://security.symantec.com/sscv6/d...d=ie&venid=sym http://www3.ca.com/virusinfo/virusscan.aspx Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove Open Site if listed. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R3 - Default URLSearchHook is missing O1 - Hosts: comments (such as these) may be inserted on individual O4 - HKLM\..\Run: [rundll32] c:\winnt\system32\drivers\etc\rundll32.exe O4 - HKLM\..\Run: [hidden31] c:\winnt\system32\drivers\etc\hidden31.exe c:\winnt\system32\drivers\etc\svhost.bat O4 - HKLM\..\Run: [hidden] c:\winnt\system32\drivers\etc\hidden.exe c:\winnt\system32\drivers\etc\startd.bat O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directorys..ect enabled if it applys to your OS) c:\winnt\system32\drivers\etc\rundll32.exe c:\winnt\system32\drivers\etc\hidden31.exe c:\winnt\system32\drivers\etc\svhost.bat c:\winnt\system32\drivers\etc\hidden.exe c:\winnt\system32\drivers\etc\startd.bat C:\Program Files\Open Site\opnste.exe Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder