Thread: Please review Hijackthis log
View Single Post
Old 08-18-2005, 12:20 AM   #7 (permalink)
MicroBell
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/actives..._principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx


Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Delete these folders.

E:\DOCUMENTS AND SETTINGS\NANCY\APPLICATION DATA\Lycos
E:\DOCUMENTS AND SETTINGS\NANCY\FAVORITES\Going Places

Now navigate to this file and open it with wordpad..
E:\WINDOWS\wininit.ini

Delete the following entrys...and then save the file.

`NUL=E:\DOCUME~1\Nancy\LOCALS~1\Temp\randreco.exe
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\UNINST.EXE
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD7.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD6.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD5.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD4.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD3.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD2.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\BBRD1.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\7b3432.DLL
`NUL=E:\WINDOWS\TEMP\_ISTMP0.DIR\7b3428.DLL
`NUL=E:\WINDOWS\TEMP\_ISTMP2.DIR\_SETUP.LIB
`NUL=E:\WINDOWS\TEMP\_ISTMP2.DIR\WELCOME.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP2.DIR\PROTECT.DLL
`NUL=E:\WINDOWS\TEMP\_ISTMP2.DIR\PROPWIN.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP2.DIR\JAZTHANK.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP2.DIR\CTL3D.DLL
`NUL=E:\WINDOWS\TEMP\_ISTMP2.DIR\6D4133.DLL
`NUL=E:\WINDOWS\TEMP\_ISTMP1.DIR\_SETUP.LIB
`NUL=E:\WINDOWS\TEMP\_ISTMP1.DIR\WELCOME.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP1.DIR\PROTECT.DLL
`NUL=E:\WINDOWS\TEMP\_ISTMP1.DIR\PROPWIN.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP1.DIR\JAZTHANK.BMP
`NUL=E:\WINDOWS\TEMP\_ISTMP1.DIR\CTL3D.DLL
`NUL=E:\WINDOWS\TEMP\_ISTMP1.DIR\6AB0CA.DLL


Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

E:\WINDOWS\SYSTEM32\tsuninst.exe
E:\WINDOWS\INF\twaintec.inf
E:\WINDOWS\alchem.ini
E:\WINDOWS\u6f6uftuc.exe
E:\WINDOWS\system32\hochkaod3.ini

On the reboot..boot directly back to safe mode.

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Run the Cleanup utility again and reboot back to normal mode.

Then run another Panda scan...save it's log and post it here along with the log from the Ewido scan.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!





Spyware/Adware Removal Tools
Hijackthis
Ad-aware SE
Spybot Search&Destroy
SpywareBlaster
CWShredder
MicroBell is offline