Tech Support Forum - View Single Post

MicroBell · 10-25-2004, 01:45 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

Open My Computer>>Tools>>Folder Options>>View>> Hidden files and folders>> select show hidden files and folders. Uncheck the Hide protected operating system files. Disable system restore by clicking Start>>Settings>>Control Panel>>Double-click the System icon Performance tab>>File System>>Troubleshooting tab, and then check Disable System Restore.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go to add/remove programs and remove WEB_REBATES if it's listed.

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Delete the following Files/Folders in RED (delete folders if no filename is specified) according to their directory (If you can't find them...do a search for them)

C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not

10-25-2004, 01:45 AM	#3 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,961 OS: Windows XP-Pro SP2	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. Open My Computer>>Tools>>Folder Options>>View>> Hidden files and folders>> select show hidden files and folders. Uncheck the Hide protected operating system files. Disable system restore by clicking Start>>Settings>>Control Panel>>Double-click the System icon Performance tab>>File System>>Troubleshooting tab, and then check Disable System Restore. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go to add/remove programs and remove WEB_REBATES if it's listed. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R3 - Default URLSearchHook is missing F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file) O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab Delete the following Files/Folders in RED (delete folders if no filename is specified) according to their directory (If you can't find them...do a search for them) C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder