One last item i just can't get rid of!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by chessrun, Feb 12, 2005.

  1. chessrun

    chessrun Private E-2

    I have been struggling on and off now to rid this workstation of the one last thing that keeps popping up and redirecting web pages. i delete items using Hijackthis but after reboot they keep coming back.
    Any ideas?

    Thanks -
     
  2. PhilliePhan

    PhilliePhan Guest

    Hi Chessrun,

    Generally, it is a good idea to start with the Cleanup Tutorial HERE:

    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

    Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

    Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
    Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been tied up with work lately and cannot visit this forum too often these days, but somebody will try to take a look when they get a chance.

    Best luck :)
    PP
     
  3. chessrun

    chessrun Private E-2

    Thanks. I have tried all the above but still get my browser hijacked with porn sites.
    I will post my Hijackthis file for you to look at and advise.

    Thanks -

    Pete
     

    Attached Files:

  4. PhilliePhan

    PhilliePhan Guest

    Hi Pete,

    Let's see what we can do. . . .


    Please print out these instructions so that you can operate with All Browser Windows CLOSED.
    Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.

    Now scan with HijackThis and Check the Boxes for the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ruserv.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html

    O2 - BHO: qcute - {C0E5A8A2-4E28-C656-CB3F-BF4E0B77AB5E} - C:\WINDOWS\SYSTEM\QCUTE.dll
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717177651316} - C:\WINDOWS\SYSTEM\QWE1316.DLL
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\SYSTEM\DSKTRF.DLL

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 213.159.117.133
    O15 - Trusted IP range: 213.159.117.133 (HKLM)

    O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/lsacd_xmlwebservices/Http/OIFActiveX/ofmctl.cab
    O16 - DPF: {D27CDB6E-AE6A-11CF-96B8-444553540000} - http://hometown.aol.com/hotdancer2704/myhomepage/ProfR1G.exe
    O16 - DPF: {05FD13D0-4623-5C07-5328-20453F1B00B8} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {0063827B-026B-3EA5-DD4B-460C7365BC82} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {5DD3320F-04D1-1F96-4D97-6DE45B421E0E} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {6447B5DB-7BF1-3623-5A92-63FD72E5C5B9} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {6012730F-334F-7F81-D705-6E103118151F} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {64921B29-812D-22AD-A8F4-0EA40E1B69CF} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {5B563894-38AE-56B9-0575-00B30062EA1F} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {7DC966FA-7FAF-76E6-1ACC-12BA5F640467} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {4E77DBF8-5DBE-6668-C5B9-26AC6DECB9B1} - http://213.159.117.150/1/rdgUS10.exe
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    C:\WINDOWS\SYSTEM\QCUTE.dll
    C:\WINDOWS\SYSTEM\QWE1316.DLL
    C:\WINDOWS\SYSTEM\DSKTRF.DLL
    C:\Program Files\AWS --> The Folder

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

    Best luck :)
    PP
     
  5. chessrun

    chessrun Private E-2

    Did everything on the list and have attached the Hijackthis file. I was able to get to this site and post this without getting 'hit' - definitely better!
    Thanks for the detailed and easy to follow directions. Let me see if you see anything askew in the file or if it appears we are good from here.

    Thanks again -
     

    Attached Files:

  6. PhilliePhan

    PhilliePhan Guest

    Looks better.

    I didn't notice this before, but please put HijackThis in a safer folder - C:\Program Files\HijackThis

    Then, fix these with HJT:
    O15 - Trusted IP range: 213.159.117.133
    O15 - Trusted IP range: 213.159.117.133 (HKLM)


    Then submit a fresh HJT log and let's see if they removed.

    PP :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds