Tech Support Forum - View Single Post

sUBs · 07-16-2005, 03:42 PM

Hi and Welcome to TSF!

Please do not leave out the top header of your HJT log. we require the information contained there.

Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.

If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below.

It is also important you don't miss a step and perform everything in the right order!!. .

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please do not run Hijackthis from it's current location.

Create a permanent directory - C:\Program Files\HiJackThis\
Re-locate all files to the new directory

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them unless instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

I have attached a file to this post - regdel.txt
Download it & rename it "regdel.reg" (inclusive of the quotes)
Double-click on it & answer YES when prompted to merge into the Registry

Unplug your computer from the Internet when you have finished downloading

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

WeatherBug - This program is adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes or deletions listed below.

Spyblocs - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Uninstall the following programs, if present, using Control Panel > Add/Remove Programs :

Weatherbug
Spyblocs
Ware Out
SBSoft
MyWebSearch

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: (no name) - {4BC1DC20-0E9B-A9E7-FDD7-975E92B0C60A} - syspanel.dll (file missing)
O2 - BHO: NetGuideBHO Class - {0FD7DAF0-BBEF-4990-B19E-2805D280571F} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [msag] cmon14.exe
O4 - HKLM\..\Run: [Bogobot] ATLIEHELPER.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [bnui] NsCplTray.exe
O4 - HKCU\..\Run: [pizda] killall.exe
O4 - HKCU\..\Run: [FLKPT] SYSTRAV.exe
O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLFB.exe
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83/users/sale/web...hm::/update.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/insta.../sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B881672-58B5-4979-8FAC-728F72BBD7DD}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{1431AD6A-52E0-4C2C-AD1D-EAF41E89E88C}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1E30007-42D0-4AE7-89AF-EF88E5B6AC93}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B881672-58B5-4979-8FAC-728F72BBD7DD}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\..\{0B881672-58B5-4979-8FAC-728F72BBD7DD}: NameServer = 69.50.188.180,85.255.112.5

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO SAFE MODE

Restart the computer. The computer begins processing a set of instructions known as BIOS.
As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard.
Continue to do so until the 'Windows Advanced Options' menu appears.
Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Enable the viewing of Hidden files

From Windows Explorer, go to Tools>Folder Options>View tab.
Enable the option for `Show hidden files and folder´
Disable the option for `Hide file extensions for known types´
Disable the option for `Hide protected operating system files´
Click Yes to confirm & then click OK

= = = = = = = = = = = = = = = = = = = = = = = =

Locate and delete the following folder(s), if present:

C:\Program Files\eBlocs\
C:\PROGRA~1\AWS\

Locate and delete the following file(s), if present:

C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url
C:\WINDOWS\system32\hgqhp.exe
C:\WINDOWS\system32\phpdx.dll

Search for & delete ... using Start> Search... the following file(s), if present:

syspanel.dll
cmon14.exe
ATLIEHELPER.exe
NsCplTray.exe
killall.exe
SYSTRAV.exe

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! & configure the program as follows:

Click Options...
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

HiJackThis
Antispyware Log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

07-16-2005, 03:42 PM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Hi and Welcome to TSF! Please do not leave out the top header of your HJT log. we require the information contained there. Please subscribe to this thread to be notified of fixes as soon as they are posted by our Team. To do this, please click the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are carrying out the procedures below. It is also important you don't miss a step and perform everything in the right order!!. . = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please do not run Hijackthis from it's current location. Create a permanent directory - C:\Program Files\HiJackThis\ Re-locate all files to the new directory = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Please download these additional files/programs. Do not run them unless instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. CleanUp! - Install. I have attached a file to this post - regdel.txt Download it & rename it "regdel.reg" (inclusive of the quotes) Double-click on it & answer YES when prompted to merge into the Registry Unplug your computer from the Internet when you have finished downloading = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = WeatherBug - This program is adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes or deletions listed below. Spyblocs - These programs are rogueware and we highly recommend that you uninstall them. Rogue or Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Uninstall the following programs, if present, using Control Panel > Add/Remove Programs : Weatherbug Spyblocs Ware Out SBSoft MyWebSearch = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank R3 - URLSearchHook: (no name) - {4BC1DC20-0E9B-A9E7-FDD7-975E92B0C60A} - syspanel.dll (file missing) O2 - BHO: NetGuideBHO Class - {0FD7DAF0-BBEF-4990-B19E-2805D280571F} - (no file) O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file) O4 - HKLM\..\Run: [msag] cmon14.exe O4 - HKLM\..\Run: [Bogobot] ATLIEHELPER.exe O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1 O4 - HKCU\..\Run: [bnui] NsCplTray.exe O4 - HKCU\..\Run: [pizda] killall.exe O4 - HKCU\..\Run: [FLKPT] SYSTRAV.exe O4 - HKCU\..\Run: [SpyBlocs] C:\Program Files\eBlocs\SpyBlocs\GLFB.exe O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.83/users/sale/web...hm::/update.exe O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab? O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/insta.../sinstaller.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0B881672-58B5-4979-8FAC-728F72BBD7DD}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{1431AD6A-52E0-4C2C-AD1D-EAF41E89E88C}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CCS\Services\Tcpip\..\{E1E30007-42D0-4AE7-89AF-EF88E5B6AC93}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CS1\Services\Tcpip\..\{0B881672-58B5-4979-8FAC-728F72BBD7DD}: NameServer = 69.50.188.180,85.255.112.5 O17 - HKLM\System\CS2\Services\Tcpip\..\{0B881672-58B5-4979-8FAC-728F72BBD7DD}: NameServer = 69.50.188.180,85.255.112.5 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO SAFE MODE Restart the computer. The computer begins processing a set of instructions known as BIOS. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the 'Windows Advanced Options' menu appears. Using the arrow keys on the keyboard, scroll to and select the menu item - Safe Mode. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options>View tab. Enable the option for `Show hidden files and folder´ Disable the option for `Hide file extensions for known types´ Disable the option for `Hide protected operating system files´ Click Yes to confirm & then click OK = = = = = = = = = = = = = = = = = = = = = = = = Locate and delete the following folder(s), if present: C:\Program Files\eBlocs\ C:\PROGRA~1\AWS\ Locate and delete the following file(s), if present: C:\DOCUMENTS AND SETTINGS\ALL USERS\FAVORITES\AdultGambling.url C:\WINDOWS\system32\hgqhp.exe C:\WINDOWS\system32\phpdx.dll Search for & delete ... using Start> Search... the following file(s), if present: syspanel.dll cmon14.exe ATLIEHELPER.exe NsCplTray.exe killall.exe SYSTRAV.exe = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! & configure the program as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = In your next post, please include fresh logs from: HiJackThis Antispyware Log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?