Tech Support Forum - View Single Post - Ricko's Hijack This log

bry623 · 08-23-2005, 07:36 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and Microsoft AntiSpyware. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm

Download PeperUninstall http://www.greyknight17.com/spy/PeperUninstall.exe. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix http://www.greyknight17.com/spy/PeperFix.exe and save it to your Desktop. Run it and click 'Find and Fix' (reboot if prompted).

Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

MySearchBar or MyWay Search

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Andrian\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Andrian\LOCALS~1\Temp\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\bhomod00.dll (file missing)
O2 - BHO: (no name) - {AB911FF6-BABB-4607-BC43-2CE1587441C6} - C:\WINDOWS\System32\fini.dll (file missing)
O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker005.dll (file missing)
O2 - BHO: (no name) - {FFF5092F-7172-4018-827B-FA5868FB0478} - (no file)
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O18 - Filter: text/html - {0512A01A-8561-4DBC-B3F2-239CFFA3019D} - C:\WINDOWS\System32\fini.dll
O18 - Filter: text/plain - {0512A01A-8561-4DBC-B3F2-239CFFA3019D} - C:\WINDOWS\System32\fini.dll
O21 - SSODL: System - {625FB647-3E27-47DE-9181-9B6DFF6D1F9E} - vr_sys.dll (file missing)

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\MyWay
c:\windows\system\bhomod00.dll
C:\WINDOWS\System32\fini.dll
C:\WINDOWS\System32\zolker005.dll
C:\WINDOWS\System32\vxh8jkdq2.exe
C:\WINDOWS\System32\symcsvc.exe
vr_sys.dll <<<<<<<<Do a search for and delete

Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart and run a new HijackThis scan. Save the log file.
Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here.

08-23-2005, 07:36 AM	#2 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,680 OS: winxp pro sp2	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Make sure you downloaded, installed, updated and ran these programs already - Ad-aware, Spybot and Microsoft AntiSpyware. If you didn't, do them now. For more information, go to http://www.greyknight17.com/spyware.htm Download PeperUninstall http://www.greyknight17.com/spy/PeperUninstall.exe. Make sure you are connected online to run this program. Run it once and reboot. Then run it again for the second time. Download PeperFix http://www.greyknight17.com/spy/PeperFix.exe and save it to your Desktop. Run it and click 'Find and Fix' (reboot if prompted). Download AboutBuster http://www.greyknight17.com/spy/AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/CleanUp.exe ) and install it. Don't run it yet. Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: MySearchBar or MyWay Search Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Andrian\LOCALS~1\Temp\se.dll/spage.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Andrian\LOCALS~1\Temp\se.dll/spage.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - Default URLSearchHook is missing O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing) O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\bhomod00.dll (file missing) O2 - BHO: (no name) - {AB911FF6-BABB-4607-BC43-2CE1587441C6} - C:\WINDOWS\System32\fini.dll (file missing) O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\zolker005.dll (file missing) O2 - BHO: (no name) - {FFF5092F-7172-4018-827B-FA5868FB0478} - (no file) O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file) O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\symcsvc.exe O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file) O15 - Trusted Zone: .slotchbar.com O15 - Trusted Zone: .slotchbar.com (HKLM) O18 - Filter: text/html - {0512A01A-8561-4DBC-B3F2-239CFFA3019D} - C:\WINDOWS\System32\fini.dll O18 - Filter: text/plain - {0512A01A-8561-4DBC-B3F2-239CFFA3019D} - C:\WINDOWS\System32\fini.dll O21 - SSODL: System - {625FB647-3E27-47DE-9181-9B6DFF6D1F9E} - vr_sys.dll (file missing) Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\MyWay c:\windows\system\bhomod00.dll C:\WINDOWS\System32\fini.dll C:\WINDOWS\System32\zolker005.dll C:\WINDOWS\System32\vxh8jkdq2.exe C:\WINDOWS\System32\symcsvc.exe vr_sys.dll <<<<<<<<Do a search for and delete Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff. Restart and run a new HijackThis scan. Save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here. __________________ "If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"