You are using an outdated version of hijackthis.
Please download the latest version from the following link:
HijackThis Download Site
Once it is downloaded, extract the zip file to
c:\hjt and navigate to the c:\hjt folder.
If all is successful, delete both the zip folder on the desktop, and your old hijackthis folder located here:
C:\Documents and Settings\Glytch\Desktop\HijackThis.exe
You CANNOT follow the steps below until you update and MOVE hijackTHis!!!
====================================================
Well, lets try to get this cleaned out ok?
If you have problems understanding something, stop and ask. There are no stupid questions.
You have some nice infections on yoru computer. I am going to have you run 3 different programs, and then clean what's left over manually. Now, please realize that some of the file/hijackthis lines may not be present because they have been cleaned by the programs. SO don't worry if it's not there. Ok?
0. There is a particular file on your computer that is definately bad, but I just don't know infection it is because more than one infection use the same filename. Therefore, please go here:
http://virusscan.jotti.org/
then you will see a box to submit a file. Please submit this file and tell me what it says:
C:\WINNT\System32\msole32.exe
Next, are you using this computer as a server of any type?
1.
We are going to install Ewido AV. I have included instructions below, but there is also a PDF created by Spydie
here if that suits you better.
Please download
Ewido Security Suite it is a trial version of the program.
- Install ewido security suite
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updatesOnce the updates are installed do the following:
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- NOTE: During some scans with ewido it is finding cases of false positives.**
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")2.Download Ad-aware Second Edition
here and install it. If you already have Ad-aware Second Edition skip to the next step.
Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.
If an update is available download it and install it. Click the "Finish" button to go back to the main screen.
Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Make sure the "Automatically quarantine objects prior to removal" setting is checked
green and then click "Proceed" to save your changes.
Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Leave the option for low-risk threats unchecked also. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a
green checkmark:
Then click on the "Tweak" Button to open up the tweak settings.
Open up the Scanning Engine section and make sure all of the following are On with a
green checkmark:
- Scan registry for all users instead of current user only
Make sure the following is unchecked with a
red X:
- Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure all of the following are On with a
green checkmark:
- Always try to unload modules before deletion
- During Removal, unload Explorer and IE if necessary
- Let Windows remove files in use at next reboot.
Click the "Proceed" button to save settings. Click next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to "Scan Complete".
Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. Then all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.
3.
Spybot S & D available from
here.
1. Downloaded and Install Spybot S&D, accepting the Default Settings
2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
3. Close ALL windows except Spybot S&D
4. Click the button to ‘Search for Updates’ then download and install the Updates.
5. Next click the button ‘Check for Problems'
6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window
7. Make certain there is a check mark beside all of the RED entries ONLY.
8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
9. REBOOT to complete the scan and clear memory.
4.
Now for the manual cleaning:
Please go to:
start-->
run
and type this in:
regedit
Then click on the
FILE menu and select
export
Save the file as
backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
Then, go to
start-->
run
and type this in:
notepad
Paste this into the box:
- Code: Select all
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\explorer\paint.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\explorer\notepad2.exe]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Enable Browser Extensions"="REG_SZ:no"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\notepad.exe]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion]
"uuid"=-
Then click on the
FILE menu and select
save as
Save the file as
regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file
REALLY IMPORTANT: DON'T DOUBLECLICK ON THIS FILE YET. WE WILL DO THIS IN SAFE MODE
5.
Download
smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to
Panda ActiveScan on your desktop.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read
Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do
NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
5a. Then reboot your computer
As soon as it starts to boot, rapidly press the f8 key.
select safe mode from the menu
If you are still unsure, see
here
IF you don't end up in safe mode, shut the computer down and try again.
6.
Now double click on HijackThis.
Click "open the misc tools section"
Click "open process manager"
highlight this file by clicking it:
c:\winnt\system32\intmonp.exe
then press and hold the ctrl key on your keyboard. WHile still holding down the ctrl key, select this file with your mouse:
C:\WINnt\System32\hp5066.tmp
Both files should now be highlited.
While still holding the ctrl key, select these files as well:
c:\widnows\system32\intmon.exe
popuper.exe
C:\WINnt\System32\msole32.exe
Then release the ctrl key and press the "kill process" button. you should get a warning. click ok. Now exit HijackThis.
7. Restart HijackThis.
Then click on the button that says
run a system scan
Then place a check next to the following items and click "
fix"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2k.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2k.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.security2k.net/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpC53F.tmp
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINNT\system32\intell32.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0297a479c30 ... xIE601.cab
8.We need to do a search. Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:
c:\winnt\system32\hhk.dll
c:\winnt\system32\intmonp.exe
C:\WINnt\System32\hp5066.tmp
c:\widnows\system32\intmon.exe
sites.ini
popupper.exe
C:\WINnt\System32\msole32.exe
If any of these files are found please delete them.
9.Now, please click on that fixreg.reg file that you created on your desktop and merge it into the registry.
10.Open the
smitRem folder, then double click the
RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Now reboot into normal mode.
11.Restoration: You may notice that some of your programs don't work correctly with the internet. This is because an infection has deleted the Browser Helper Objects. Some common BHO's that may have been deleted:
Spybot's resident IE\
Acrobat
super popup blocker
all the different download accelarators
yahoo/google toolbars
ebay toolbar
as well as others. If you suspect a program has been damaged by the trojan, the best thing to do is to uninstall the program and reinstall it.
after you are all done, can you please go to start->run and paste this in?
regedit.exe /e c:\output.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\policies\explorer\run"
hit enter,
then go to the c:\drive and paste the contents of output.txt to me. Then you can delete the output.txt file
Please give me an ewido log, a jotti scan log, the output.txt file and a new HijackThis log