Tech Support Forum - View Single Post - Hijack Log File

**POADB** · 04-22-2006, 02:11 AM

Download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.php#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident. Make sure you enable TeaTimer after we are done. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

Please delete the following files:

C:\WINDOWS\system32\csqhd.exe
C:\WINDOWS\system32\dmggl.exe

Please double check these files no longer exist, empty your recycle bin if necessary.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Click Main at the top and from the list on the main window, choose Select All.
Click the Empty Selected button.

Now Select FireFox From the top, and then do the same again.

Click Exit on the Main menu to close the program.

Can you confirm that you did NOT check and fix the legit 017 in HJT? As I pointed out in my previous post

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C9420E6-EF75-4778-B520-FE1D7461AA0D}: NameServer = 62.241.163.200 62.241.162.201

Is LEGIT! and the one blow was bad.

O17 - HKLM\System\CCS\Services\Tcpip\..\{5C9420E6-EF75-4778-B520-FE1D7461AA0D}: NameServer = 85.255.113.134 85.255.112.104

Post back with fresh results from Panda along with a description of how your system is behaving now.

04-22-2006, 02:11 AM	#9 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.php#adaware for better scan results. Run the scan and fix everything that it finds. Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident. Make sure you enable TeaTimer after we are done. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete. Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation. Please delete the following files: C:\WINDOWS\system32\csqhd.exe C:\WINDOWS\system32\dmggl.exe Please double check these files no longer exist, empty your recycle bin if necessary. Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Click Main at the top and from the list on the main window, choose Select All. Click the Empty Selected button. Now Select FireFox From the top, and then do the same again. Click Exit on the Main menu to close the program. Can you confirm that you did NOT check and fix the legit 017 in HJT? As I pointed out in my previous post O17 - HKLM\System\CCS\Services\Tcpip\..\{5C9420E6-EF75-4778-B520-FE1D7461AA0D}: NameServer = 62.241.163.200 62.241.162.201 Is LEGIT! and the one blow was bad. O17 - HKLM\System\CCS\Services\Tcpip\..\{5C9420E6-EF75-4778-B520-FE1D7461AA0D}: NameServer = 85.255.113.134 85.255.112.104 Post back with fresh results from Panda along with a description of how your system is behaving now. __________________