Almost repaired? -can you please check my Hijacklog

Discussion in 'Malware Help (A Specialist Will Reply)' started by MALTAN, Dec 30, 2005.

  1. MALTAN

    MALTAN Private E-2

    Hello all,
    I am new to major geeks, but I have to say it has been a great help in fixing my recent spyware issues. It seems that i have corrected my desktop takeover issues but am still working on the about:blank spyware for IE. I have followed all the steps 1-6 and continued on and completed the about:blaster and hsremove. I did all of this in safe made and then rebooted into normal mode to make my hijackthis log. I then copied th log onto a disk and posted the log using a different computer in order not to connect to the internet and possibly ruin my efforts up to this point. Could someone please take a look at my log and let me know what i should do at this point and what files need to be removed. Thank you very much for all your help.
     

    Attached Files:

    MALTAN, Dec 30, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Step 6 of the READ ME gives two online scans to run. You must attach the logs for both of these as indicated in the READ ME or you have not completed the READ ME.

    Also I would like to see the About:Buster (not about:blaster) log.
     
    chaslang, Dec 30, 2005
    #2
  3. MALTAN

    MALTAN Private E-2

    Thanks for the reply. I did run About:buster (typo on my part). I will have to get back to you on the online scan logs. I do not have my computer at work with me. I shoud be able to post the 3 logs later today. Thank you
     
    MALTAN, Dec 30, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! We'll be looking for them. It is important to be careful with names of programs like that. There are many BAD programs out there that use similar names to valid programs in an attempt to hide. For another example: SpyBlaster = BAD whereas SpywareBlaster = GOOD. ;)
     
    chaslang, Dec 30, 2005
    #4
  5. MALTAN

    MALTAN Private E-2

    Hello again,
    I have completed the 2 internet scans and and performed a new HJT scan and attached all 3 logs. The panda scan found a cd_clint.dll file and I deleted that which I assume that the HJT log would reflect that? Anyways, my computer seems to be working pretty good and my homepage is no longer about:blank. Any last deletions based on the logs would be great. Thank you very much for all the help.
     

    Attached Files:

    MALTAN, Dec 30, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you uninstall Propel Accelerator Popup blocker? If not, is it working? HJT is showing a file missing but HJT has problems with saying things are missing when they are not.

    O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll (file missing)

    Is the C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll file really missing?

    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0E29D4BC-9E50-4331-91C2-5E32A55D78E2} - C:\WINDOWS\system32\niic.dll (file missing)
    O2 - BHO: Class - {49093240-8C68-BEDC-15C1-49AA03992821} - C:\WINDOWS\system32\netgj.dll (file missing)
    O2 - BHO: Class - {C5933008-BD9D-D18E-FDF7-470E8C5B5132} - C:\WINDOWS\addlc32.dll (file missing)
    O2 - BHO: Class - {DC710D77-5A09-2FBF-A797-DCAE7E649FA3} - C:\WINDOWS\system32\mfccm.dll (file missing)
    O2 - BHO: Class - {F97AC71F-C713-8B99-AAF3-4091BCE80337} - C:\WINDOWS\sysny32.dll (file missing)
    O4 - HKLM\..\Run: [rscn] C:\WINDOWS\system32\bum688.exe ymmud
    O4 - HKLM\..\Run: [NAVNet] "C:\WINDOWS\system32\voi160.exe" /m

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found - some may really be deleted already):
    C:\WINDOWS\system32\niic.dll
    C:\WINDOWS\system32\netgj.dll
    C:\WINDOWS\addlc32.dll
    C:\WINDOWS\system32\mfccm.dll
    C:\WINDOWS\sysny32.dll
    C:\WINDOWS\system32\bum688.exe
    C:\WINDOWS\system32\voi160.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Reminder Note: Once we have determine you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Dec 31, 2005
    #6
  7. MALTAN

    MALTAN Private E-2

    Chaslang,
    I have completed all the steps from your previous post. There was no Propel Accelerator in the program folders and none of the files existed in the C:/WINDOWS folders. I deleted the prefetch files and CC cleaner ran fine. Major Geeks came up as my home page and things seem back to normal. The only issue I still have is that prior to this problem I used to be able to simply click my verizon connection and it would connect my DSL connection after verifying username/password. Now i have to go to network connections and enable the local lan connection. Once that is enabled I then have to go to the verizon connection and connect via username/password. I would assume that it is some setting that got screwed up during this whole ordeal. It is just one extra step that I never had to do before Anyways, that you very much for the help.
     

    Attached Files:

    MALTAN, Dec 31, 2005
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds