Tech Support Forum - View Single Post

Vikesrock8411 · 11-30-2005, 06:28 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJT , or another name of your choice. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files.

Special Note:
Microsoft AntiSpyware Program:
Because of recent changes in the way this program now defines and detects spyware/adware, it is no longer recommended as a spyware removal tool. Microsoft has downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted. We recommend you uninstall it.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot

In the popup box that appears, type in C:\WINDOWS\DOWNLOADED PROGRAM FILES\OSDEB.OSD
Click the Open button.
Click YES when prompted to restart your computer.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Add/Remove
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Search 3 Toolbar <<<If present

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
O4 - HKLM\..\Run: [AST] C:\WINDOWS\AST
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\tony\Local Settings\Temporary Internet Files\Content.IE5\EZER6LCV\CWShredder[1].exe (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\WINDOWS\BUNDLES
C:\PROGRAM FILES\SEARCH3 TOOLBAR
C:\WINDOWS\SYSTEM32\cache32_dsktptr

C:\WINDOWS\INF\biini.inf
C:\WINDOWS\salm_gdf.dat
C:\WINDOWS\cpblpbc3.log
C:\WINDOWS\inf\flashtlk.inf
C:\WINDOWS\system32\__delete_on_reboot__st3.dll
C:\WINDOWS\__delete_on_reboot__prflbmsgp32.dll
C:\WINDOWS\AST.exe

Tools
Open HijackThis, click Config, then click Misc Tools.
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Reboot your system in Normal Mode.

Online Scans
Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post please include:

Uninstall List
Kaspersky Log
A new Hijackthis! Log

11-30-2005, 06:28 PM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. You are running Hijack This from a temporary directory. It needs to be in a permanent folder. Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJT , or another name of your choice. The program creates backup files that we may need to use later. If the program is in a Temporary folder, files may be deleted by you or automatically if your system is set to empty temp files. Special Note: Microsoft AntiSpyware Program: Because of recent changes in the way this program now defines and detects spyware/adware, it is no longer recommended as a spyware removal tool. Microsoft has downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore” These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted. We recommend you uninstall it. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot In the popup box that appears, type in C:\WINDOWS\DOWNLOADED PROGRAM FILES\OSDEB.OSD Click the Open button. Click YES when prompted to restart your computer. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Add/Remove Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Search 3 Toolbar <<<If present HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 O4 - HKLM\..\Run: [AST] C:\WINDOWS\AST O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\tony\Local Settings\Temporary Internet Files\Content.IE5\EZER6LCV\CWShredder[1].exe (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\BUNDLES C:\PROGRAM FILES\SEARCH3 TOOLBAR C:\WINDOWS\SYSTEM32\cache32_dsktptr C:\WINDOWS\INF\biini.inf C:\WINDOWS\salm_gdf.dat C:\WINDOWS\cpblpbc3.log C:\WINDOWS\inf\flashtlk.inf C:\WINDOWS\system32\__delete_on_reboot__st3.dll C:\WINDOWS\__delete_on_reboot__prflbmsgp32.dll C:\WINDOWS\AST.exe Tools Open HijackThis, click Config, then click Misc Tools. Click "Open Uninstall Manager" Click "Save List" (generates uninstall_list.txt) Click Save, copy and paste the results in your next post. Reboot your system in Normal Mode. Online Scans Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. * Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include: Uninstall List Kaspersky Log A new Hijackthis! Log