Member Panel

Borske · 09:27 PM

Hello,

I am new to this site but I must admit that I have used your recomendations to others to trouble shoot in the past. We recently switched to comcast from quest dsl and now we are getting bombarded with popup ads and other forms of lag. My wife has spent a great deal of time with the comcast personell and they have not been helpfull at all. I am currently running a couple of spyware programs and am posting a "hijackthis" paste in hopes of some help. I did remove several items that the Hijackthis website suggested but I would like a second opinion.

Thank you very much

Borske

joe5

Hya Borske , welcome to PCHF.

Lets clean that up asap.

Before fixing things with HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Uninstall "Logiteck desktop messenger" in add/remove programs.

Please download ATF-Cleaner.

Then boot in safemode (hit f8 when booting up) and fix these with hjt:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xvyar.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jqfedyr. exe
O2 - BHO: (no name) - {7D9CB362-375B-4FB9-8024-E55079CC69D1}" - (no file)
O4 - HKLM\..\Run: [hdlnrr] C:\WINDOWS\system32\ilhvss.exe reg_run
O4 - HKLM\..\Run: [{19-90-00-0D-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [w00abf67.dll] RUNDLL32.EXE w00abf67.dll,I2 000204de000abf67
O4 - HKLM\..\Run: [sms_msn40] C:\WINDOWS\system32\sms_msn40.exe
O4 - HKLM\..\Run: [w0dceb0d.dll] RUNDLL32.EXE w0dceb0d.dll,I2 000204de00dceb0d
O4 - HKCU\..\Run: [easpt] C:\WINDOWS\system32\ilhvss.exe reg_run
O4 - Global Startup: attwy.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)

And manually delete the files in bold , and do a search for these files and also delete them:

jqfedyr. exe
w00abf67.dll
w0dceb0d.dll
attwy.exe

Run ATF-Cleaner:
First check "Select All" , and then remove the tick infront of "History".
Finally click Empty Selected.
When you get the "Done Cleaning" message, click OK.

Then boot back in normal mode.

Please Download RKFiles.zip
Create a new folder C:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into the new folder you just created.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder.

Restart to safe mode. (tap f8 key during bootup)

Open the C:\Antispyware\RKFiles folder
Double click on RKFILES.BAT
Give it time to run. this may take a while.
Save the text file it creates.
It should save by default to C:\Log.txt

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text file opens, post it in a reply to your thread after doing the rest of what follows here.
It'll take a while to run a full scan so please be patient.

Restart into regular Windows mode and post the contents of C:\log.txt and the find-qoologic results , plus a new hjt log please.

Borske

Thank you very much. I am moving along as quickly as I can but I have run into a snag. When I tried to find the files for "QOOLOGIC" it said that the page could not be found. I did get the zip file loaded into the anti spyware folder as you requested and I just need some direction as to how to proceed from here.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder.

Again thank you very much for the help.

Borske

Borske

This is a new Hijack file for my computor as it sits now.

hijackthis 4-9-06.txt

Borske

Here is the log from antispyware

C:\Antispyware

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

joe5

Looking very good sofar.

And here is an other link , please also post a log from that:

http://virus-protect.org/zip/Find_Qoologic.zip

Borske

I just tried to run the Qoologic and ran into an error.

16BIT MS-DOS SUBSYSTEM

C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\CONFIG.NT
The system file is not suitable for running MS-DOS and microsoft windows applications. Choose 'close' to terminate the application.

However every thing that has been done so far has made the world of difference and I belive that I removed the Qoolaid with symantic and ewido. Thanks for everything to this point and if you know how I can get the program to work I will run it also.

Thanks again
Borske

Member Panel

Sponsors and Ads

Noticeboard