Hi and Welcome to TSF
Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.
Also make sure you are using the the latest version (1.99.1) of
HijackThis and it's installed in it's own folder on the root drive.
(C:\HJT)
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s
NOT checked. We want system restore
ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.
Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.
http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/actives..._principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx
Download and install
CleanUp! but
do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
Download
smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own
folder on the desktop.
Place a shortcut to
Panda ActiveScan on your desktop.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read
Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do
NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Open
Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "
Options..."
*Move the arrow down to "
Custom CleanUp!"
*Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click
OK
Press the
CleanUp! button to start the program. Reboot/logoff when prompted.
Next, please reboot your computer in
SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Open Add/remove programs and remove the following IF listed.
WildTangent
NewDotNet
SpyKiller
Now scan with HJT and place a checkmark next to each of the following items:
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll (file missing)
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.e xe
O4 - HKLM\..\Run: [win_upd.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe
O4 - HKLM\..\Run: [mscsvc.exe] C:\WINDOWS\mscsvc.exe
O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\osrwin32.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe
O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\System32\sysdoor.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
Click fix and close HJT
Delete the following Files/Folders in
RED (delete folders if no filename is specified or if they are highlighted in
RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)
C:\Program Files\NewDotNet\newdotnet4_50.dll
C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
C:\WINDOWS\System32\WINdirect.exe
C:\WINDOWS\System32\doriot.exe
C:\WINDOWS\System32\winshost.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\winhlp.exe
C:\WINDOWS\hostren.exe
C:\WINDOWS\hostdll.exe
C:\WINDOWS\mscsvc.exe
C:\WINDOWS\osrwin32.exe
C:\WINDOWS\sa_exe.exe
C:\WINDOWS\System32\sysdoor.exe
C:\Program Files\SpyKiller\spykiller.exe
explorer32.exe <--locate and delete that file!
Open the
smitRem folder, then double click the
RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named
smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply
Open Ad-aware and do a full scan. Remove all it finds.
Run Ewido:
- Click [Scanner]
- Click [Complete System Scan] to begin scanning.
- Click [OK] when prompted to clean files
- With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
- Once finished, click the [Save report] button
- Save the report to your desktop
Close Ewido
Next go to
Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "
Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Save the scan log and post it along with a new
HijackThis Log the
Ewido Log and the
smitfiles.txt log.
Quote:
IMPORTANT!:
Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.
Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.
Thank you for your cooperation.
|