Help!!!!

RooRman05 · Mar 24, 2005

i downloaded hijack this and isolated my hot offers problem, but when i hit fix checked its screen goes white and when i hit scan again hot offers and the other shit is still there. Can anyone please help me? I have been trying to get rid of this for a while now, and im so close. lol

TheOldThug · Mar 24, 2005

Welcome

We ask that you please try to work through the following TUTORIAL first.
This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone wll help you. Everyone is quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

RooRman05 · Mar 24, 2005

I have read everything you told me to and i still cant fix my checked items on Hijack this. It goes to a white screen

TheOldThug · Mar 24, 2005

If you have done the whole READ ME then submit a HJT log as directed.

RooRman05 · Mar 24, 2005

here is my HJT scan. Thanks for the help guys

TheOldThug · Mar 24, 2005

Would you please resubmit this as a .log or .txt file as instructed

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

chaslang · Mar 24, 2005

This will be good practice for you Thug!

about:Blank/HSA hijacker, Virtumundo, and a load of trojans to fix.

PP Agrees!!

TheOldThug · Mar 24, 2005

Chas and PP

I am leaving this to one of you. It would best be addressed by someone with more experience. Too many tools that I am still not familiar with. Thanks for the confidence tho.

chaslang · Mar 24, 2005

Well let's start with the HotOffers problem:

Download the HotOffers Uninstaller

Double click to run the uninstaller!

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixho.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixho.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add the items to the registry say yes.

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UninstallHP]
Click to expand...

Then Click Start > Run > type in regsvr32 /u popup_bl.dll and hit OK.

Note: Use Windows Search (see below) to locate the popup_bl.dll file and delete if found!
If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter popup_bl.dll
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button. When found, right click on it and select delete.

Reboot into normal mode and move on to my next message.

chaslang · Mar 24, 2005

First a note for when we finish fixing the current problems, your OS and IE version are seriously out of date. You must update when we get all current problems fixed.

You must remember to exit ALL browsers before using HijackThis. They can make it difficult or impossible to fix certain problems when running. You had the below running:
C:\Program Files\Internet Explorer\iexplore.exe

Okay let's try to make a dent in some of the easier trojan problems to get us started. This will not fix all problems on your PC. It is just the beginning. When there are multiple problems like you have, it is better to do some fixes separately.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
C:\WINNT\System32\wininet.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://aflashcounter.com/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [3D4.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\3D4.tmp.exe 5 10001
O4 - HKLM\..\Run: [4CE612F6] C:\WINNT\system32\luislmst.exe
O4 - HKLM\..\Run: [AD1A9046] C:\WINNT\system32\wotfgm.exe
O4 - HKLM\..\Run: [D36C61C6] C:\WINNT\system32\afkqgy.exe
O4 - HKLM\..\Run: [F62C0BFE] C:\WINNT\system32\ATHEUIufpe.exe
O4 - HKLM\..\Run: [AA69F1D6] C:\WINNT\system32\mzintf.exe
O4 - HKLM\..\Run: [F182CE56] C:\WINNT\system32\qyoctiv.exe
O4 - HKLM\..\Run: [C03BAC5E] C:\WINNT\system32\tmnxh.exe
O4 - HKLM\..\Run: [AB84C973] C:\WINNT\system32\htapwiosr.exe
O4 - HKLM\..\Run: [FB605876] C:\WINNT\system32\dptiack.exe
O4 - HKLM\..\Run: [SearchAssistant] "C:\Q92194.exe "
O4 - HKLM\..\Run: [CDAFCC53] C:\WINNT\system32\pidisc.exe
O4 - HKLM\..\Run: [D73B21CE] C:\WINNT\system32\svcqnq.exe
O4 - HKLM\..\Run: [A0BD4A53] C:\WINNT\system32\axiasq.exe
O4 - HKLM\..\Run: [8B99944E] C:\WINNT\system32\bozwot.exe
O4 - HKLM\..\Run: [F3E2FE5B] C:\WINNT\system32\friosmk.exe
O4 - HKLM\..\Run: [AB62C6DE] C:\WINNT\system32\xexblbr.exe
O4 - HKLM\..\Run: [CC43448B] C:\WINNT\system32\cluadlh.exe
O4 - HKLM\..\Run: [FFF241E3] C:\WINNT\system32\aaamapildp.exe
O4 - HKLM\..\Run: [FCB8764B] C:\WINNT\system32\qyovnlqn.exe
O4 - HKLM\..\Run: [8D8E8A46] C:\WINNT\system32\dhtagg.exe
O4 - HKLM\..\Run: [FB5FCDF3] C:\WINNT\system32\6to4dlhctr.exe
O4 - HKLM\..\Run: [B7E0B10E] C:\WINNT\system32\o4dimfdbad.exe
O4 - HKCU\..\Run: [wininet] C:\WINNT\System32\wininet.exe
O4 - HKCU\..\Run: [4CE612F6] C:\WINNT\system32\luislmst.exe
O4 - HKCU\..\Run: [AD1A9046] C:\WINNT\system32\wotfgm.exe
O4 - HKCU\..\Run: [D36C61C6] C:\WINNT\system32\afkqgy.exe
O4 - HKCU\..\Run: [F62C0BFE] C:\WINNT\system32\ATHEUIufpe.exe
O4 - HKCU\..\Run: [AA69F1D6] C:\WINNT\system32\mzintf.exe
O4 - HKCU\..\Run: [F182CE56] C:\WINNT\system32\qyoctiv.exe
O4 - HKCU\..\Run: [C03BAC5E] C:\WINNT\system32\tmnxh.exe
O4 - HKCU\..\Run: [AB84C973] C:\WINNT\system32\htapwiosr.exe
O4 - HKCU\..\Run: [FB605876] C:\WINNT\system32\dptiack.exe
O4 - HKCU\..\Run: [CDAFCC53] C:\WINNT\system32\pidisc.exe
O4 - HKCU\..\Run: [D73B21CE] C:\WINNT\system32\svcqnq.exe
O4 - HKCU\..\Run: [A0BD4A53] C:\WINNT\system32\axiasq.exe
O4 - HKCU\..\Run: [8B99944E] C:\WINNT\system32\bozwot.exe
O4 - HKCU\..\Run: [F3E2FE5B] C:\WINNT\system32\friosmk.exe
O4 - HKCU\..\Run: [AB62C6DE] C:\WINNT\system32\xexblbr.exe
O4 - HKCU\..\Run: [CC43448B] C:\WINNT\system32\cluadlh.exe
O4 - HKCU\..\Run: [FFF241E3] C:\WINNT\system32\aaamapildp.exe
O4 - HKCU\..\Run: [FCB8764B] C:\WINNT\system32\qyovnlqn.exe
O4 - HKCU\..\Run: [8D8E8A46] C:\WINNT\system32\dhtagg.exe
O4 - HKCU\..\Run: [FB5FCDF3] C:\WINNT\system32\6to4dlhctr.exe
O4 - HKCU\..\Run: [B7E0B10E] C:\WINNT\system32\o4dimfdbad.exe
O4 - Global Startup: TFTP2180
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: ComcastHSI - {68F460C0-DB60-4E5E-919C-F0CC4CC859C2} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {7BDDEB8F-DA99-4A05-86B8-AF15D262D8AA} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {F2B2E116-47F1-486C-AD38-BC27F76AC912} - http://www.comcastsupport.com (file missing) (HKCU)
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\Owner\Local Settings\Temp\3D4.tmp.exe
C:\WINNT\system32\luislmst.exe
C:\WINNT\system32\wotfgm.exe
C:\WINNT\system32\afkqgy.exe
C:\WINNT\system32\ATHEUIufpe.exe
C:\WINNT\system32\mzintf.exe
C:\WINNT\system32\qyoctiv.exe
C:\WINNT\system32\tmnxh.exe
C:\WINNT\system32\htapwiosr.exe
C:\WINNT\system32\dptiack.exe
C:\Q92194.exe
C:\WINNT\system32\pidisc.exe
C:\WINNT\system32\svcqnq.exe
C:\WINNT\system32\axiasq.exe
C:\WINNT\system32\bozwot.exe
C:\WINNT\system32\friosmk.exe
C:\WINNT\system32\xexblbr.exe
C:\WINNT\system32\cluadlh.exe
C:\WINNT\system32\aaamapildp.exe
C:\WINNT\system32\qyovnlqn.exe
C:\WINNT\system32\dhtagg.exe
C:\WINNT\system32\6to4dlhctr.exe
C:\WINNT\system32\o4dimfdbad.exe
C:\WINNT\System32\wininet.exe
C:\WINNT\system32\luislmst.exe
C:\WINNT\system32\wotfgm.exe
C:\WINNT\system32\afkqgy.exe
C:\WINNT\system32\ATHEUIufpe.exe
C:\WINNT\system32\mzintf.exe
C:\WINNT\system32\qyoctiv.exe
C:\WINNT\system32\tmnxh.exe
C:\WINNT\system32\htapwiosr.exe
C:\WINNT\system32\dptiack.exe
C:\WINNT\system32\pidisc.exe
C:\WINNT\system32\svcqnq.exe
C:\WINNT\system32\axiasq.exe
C:\WINNT\system32\bozwot.exe
C:\WINNT\system32\friosmk.exe
C:\WINNT\system32\xexblbr.exe
C:\WINNT\system32\cluadlh.exe
C:\WINNT\system32\aaamapildp.exe
C:\WINNT\system32\qyovnlqn.exe
C:\WINNT\system32\dhtagg.exe
C:\WINNT\system32\6to4dlhctr.exe
C:\WINNT\system32\o4dimfdbad.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Log in or Sign up

Help!!!!

RooRman05 Private E-2

TheOldThug First Sergeant

RooRman05 Private E-2

TheOldThug First Sergeant

RooRman05 Private E-2

Attached Files:

Logfile of HijackThis v1.doc

HJT LOG.txt

TheOldThug First Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TheOldThug First Sergeant

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member