How do I get rid of this

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by FayEgo, Apr 14, 2005.

  1. FayEgo

    FayEgo Private E-2

    FayEgo, Apr 14, 2005
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

    http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

    http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
     
    bjgarrick, Apr 14, 2005
    #2
  3. FayEgo

    FayEgo Private E-2

    Here is the log
     

    Attached Files:

    FayEgo, Apr 15, 2005
    #3
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First:
    Please update your version of Hijack This.
    Second:
    Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

    To create a new folder:
    Click START > My Computer > Local Disc C: > Program Files
    Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

    To Extract HijackThis:
    Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
    (C:\Program Files\HJT) and click Next.

    Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

    After doing both these steps, attach a fresh HJT log.
     
    bjgarrick, Apr 15, 2005
    #4
  5. FayEgo

    FayEgo Private E-2

    Hopefully this is correct.
     

    Attached Files:

    FayEgo, Apr 15, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since BJ is not around, I'll try to keep you moving along.

    Your OS and IE versions are seriously out of date. After all of your current problems are resolved, you must get updated.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O2 - BHO: IE SP2 AddOn - {19596B06-E488-4BB6-B71C-32B8A6A69CA1} - C:\WINDOWS\System32\spehs.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\spehs.dll

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST).
    Now reboot in normal mode and post a new HJT log. And tell us how things are working.

    Are the below IP addresses for you ISP and or home network?
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02765DA6-1ABA-44AB-B52C-DBCCB8BA73F0}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3AF76F3A-345C-484E-87B8-B47B19DE09E7}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A11FDBF0-A212-40BD-9FDD-E366B1D254F7}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS1\Services\Tcpip\..\{02765DA6-1ABA-44AB-B52C-DBCCB8BA73F0}: NameServer = 69.50.176.156,195.225.176.31
    O17 - HKLM\System\CS2\Services\Tcpip\..\{02765DA6-1ABA-44AB-B52C-DBCCB8BA73F0}: NameServer = 69.50.176.156,195.225.176.31
     
    chaslang, Apr 15, 2005
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds