IST search problem

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Also post the log from Spybot that shows what it is finding.

 

Click Start > Run > enter (copy and paste is better) the following text, then click OK:

regsvr32 /u btxppanel.dll

If it doesn't work, enter it this way:

regsvr32 /u C:\WINDOWS\system32\btxppanel.dll


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ulqv] C:\WINDOWS\ulqv.exe
O4 - HKLM\..\Run: [ohifgdyz] C:\WINDOWS\ohifgdyz.exe
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll

I do not believe that it is valid for CWShredder to be see running as a service. And there is no reason for it to be running that way either. So I'm going to have you fix this too?
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and Settings\me\My Documents\program set ups\random malware removal shit\CWShredder.exe

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\ulqv.exe
C:\WINDOWS\ohifgdyz.exe
C:\WINDOWS\system32\btxppanel.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Quickly check a new HJT log at this point. If your HJT log now still show CWShredder.exe running, perform the below steps.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

It is much easier for us to help you if you help us. You must provide specifics. The above is too vague to be useful. Give exact filenames and paths. Tell us the exact symptoms. Tell us folder names. Tell us what .exe file name. Tell us what the "couple other things". Tell us exactly what Spybot found or post the log. By now I think you get the point of what I'm requesting.

There are no problems showing in your HijackThis log. You do need to get a real firewall installed to protect you properly and then the one in WinXP SP2 should be disabled. See the link below and make sure you have complete ALL of those steps (or the equivalents):

How to Protect yourself from malware!

 

Look in Add/Remove programs for Daily Weather Forecast and uninstall it if found. Please tell me if found.

Copy the below locally or print it. You must exit all browsers before running this and also disconnect from the Internet.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixIA.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixIA.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add into the registry, click YES!

Just incase the Daily Weather Forecast item had no uninstall, I included it in the fixes below.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\Daily Weather Forecast\weather.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Daily Weather Forecast <--- the whole folder
C:\Documents and Settings\wilder\Local Settings\Temp\17778.exe
C:\WINDOWS\ExeDialer.exe
C:\Program Files\Instant Access <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Why aren't you sure? All you have to do is check Spybot again and see it it still gives you the reported problems.

 

So right now you are clean other then your question on the Xerox folder?

What files are in this folder and is there anything in Add/Remove programs you do not recognize?

Do the below:

Open HijackThis, click Open Misc Tools section
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.