help reading HT logs

Discussion in 'Malware Help (A Specialist Will Reply)' started by marmalak, May 17, 2006.

  1. marmalak

    marmalak Private E-2

    Dear all,

    I have a browser hijacker on internet explorer that got there through opening a site. I didnt download anything. I have gone through all the procedures as posted on this forum but its still there.

    The hijacker doesnt affect my default homepage but only kicks in after i perform a google search and click on the results. Thats when i get redirected to another page, sometimes ebay (or atleast it looks like ebay) other times its another search engine which seems to tie in with whatever i was searching for, but its not the page i asked for. It only does this twice then on the third click i get the page i asked for.

    At the same time i got this hijacker my aol scanner started detecting a trojan called called win32/Qhost.df which is still there at every start up despite deleting it several times. I did turn off system restore as directed but its still there.

    i also have dysspy which was picking up mshta.exe although that isnt showing up anymore.

    I did all the scans in safe mode etc and ive attached the results for bit defender, Panda and HT. Could anyone help me please?
     

    Attached Files:

    marmalak, May 17, 2006
    #1
  2. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Download
    - Pocket Killbox

    You are running an anti-spyware program which is not trusted or recognised to be safe,     this link provides some details: - http://www.spywarewarrior.com/rogue_anti-spyware.htm

    Therefore it is recommended that you remove it using the Add/Remove option on your computer:

    Start-Control Panel-Add/Remove

    Look for the following program and remove it:

    UnSpyPC

    Follow the directions for Running Hoster.

    In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:
    Choose Kill Process. close HijackThis

    Download FixWareout by Lonny and save it to your Desktop.
    • Please locate your download of FixWareout and INSTALL it.
    • Be sure that Run fixit is checked.
    • Click Finish to begin the fix.
    • Follow the prompts and Reboot when asked to do so.
    • Upon Reboot, follow the prompts and HijackThis should open.
    Fix the following Lines:
    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click the RED X.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.
    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    Now boot into SAFE MODE

    Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)
    Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

    Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    REBOOT to Normal Mode.

    Follow the directions for:
    Running Ewido Anti-Malware

    Post a fresh HijackThis log and the Ewido log.
     
    Shadow_Puter_Dude, May 17, 2006
    #2
  3. marmalak

    marmalak Private E-2

    thanks for the directions dude!

    I followed them as close as possible and the good news is my browser isnt getting hijacked anymore. just a couple points though:

    1.there was no unspyPC in my programs list so i didnt delete anything.

    2. when it came to fixing the ilnes in hijack this a couple of them werent there so i just deleted whatever was.
    Apart from those two things i was able to do everything as instructed in safe mode and ive attached the edi and HT scans.

    You mentioned i have untrustworty spyware protector. Do you mean the Dysspy? It still pops up on start up although doesnt scan automatically anymore. If i do scan with it though it detects a browser hikacker which it never did before. Is that a good thing or bad thing? should i just delete the whole program? ive had it a while and it never gave me any problems before, actually picked up a few things that spybot and ad aware didnt.

    your advice is greatly appreciated.
     

    Attached Files:

    marmalak, May 19, 2006
    #3
  4. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    No, I was taking about UnSpyPC. Your logs indicated that it was present on your system, and is a part of the WareOut infection.

    Look for C:\Program Files\UnSpyPC and delete it if it is present.

    Your log is clean.
     
    Shadow_Puter_Dude, May 19, 2006
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds