Need some help with this adware

Discussion in 'Malware Help (A Specialist Will Reply)' started by kienticrecord, Feb 10, 2005.

  1. kienticrecord

    kienticrecord Private E-2

    I can't get some adware off my computer. I have Hijak this and I have created a log file check it out.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:05:58 PM, on 2/9/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



    If you can help me, please let me know what I need to take out of here. Thanks.
     
    Last edited by a moderator: Feb 10, 2005
    kienticrecord, Feb 10, 2005
    #1
  2. PhilliePhan

    PhilliePhan Guest

    Hi kienticrecord,

    Your version of HijackThis is waaaaaay out-of-date!!

    Looks like you've got About:Blank, among other problems.

    Generally, it is a good idea to start with the Cleanup Tutorial Below - Be sure to to the steps that apply to your About:Blank issues:

    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

    Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

    Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
    Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’ve been tied up with work these days, but somebody will try to take a look when they get a chance.

    Best luck :)
    PP
     
    PhilliePhan, Feb 10, 2005
    #2
  3. budda science

    budda science Private E-2

    This is still kinetic record, I had to change my screen name because I couldn't get back into my old account. Anyway, I did most of the tasks in the READ ME FIRST thread, and I had to stop because I have the "Only the Best" aka "HSA" HIJACKER somewhere. As soon as I went through the steps in http://forums.majorgeeks.com/showthread.php?t=38772 thread, got all the way to step 5 where go into the Run command and type in notepad c:\path\xxxxx.dll and the click ok and I get this message "The system could not find command specified" and brought up the note pad.

    Since I did not get to delete all the lines that were sapposed to come up, I'm stuck on what to do next.

    Should I just keep going or should I do something else.

    Holler back at me when you get this.

    Thanks.
     
    budda science, Feb 12, 2005
    #3
  4. budda science

    budda science Private E-2

    ps here goes my HJT log file in .txt
     

    Attached Files:

    budda science, Feb 12, 2005
    #4
  5. PhilliePhan

    PhilliePhan Guest

    Hi Budda,

    Sorry I didn't get back to you sooner!

    EDIT:pP Before you start this, please extract HijackThis from the Zip File to its own SAFE folder - C:\Program Files\HijackThis You MUST do this!!


    This baddie will mutate on reboot, so all we can do on this first pass is clean a few things. Some may already be different. Most will come back and when they do, you must not reboot after submitting new HJT log so we can clean those up.

    For now, please do this:

    FIRST:
    Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it cwfix.reg


    REGEDIT4

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
    "*"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
    "*"=dword:00000004

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
    "*"=dword:00000002

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
    "*"=dword:00000004

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
    "*"=dword:00000002
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
    "*"=dword:00000004

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
    "*"=dword:00000002
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
    "*"=dword:00000004


    Now:
    DoubleClick on the cwfix.reg file you made and allow it to merge the registry entries into the registry.


    NEXT:
    Please print out these instructions so that you can operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see them, try to END them:

    javami32.exe
    syswe.exe

    Now scan with HijackThis and Check the Boxes for the following:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hmqcv.dll/sp.html#44768
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hmqcv.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hmqcv.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hmqcv.dll/sp.html#44768
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hmqcv.dll/sp.html#44768
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hmqcv.dll/sp.html#44768

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {49FD05AE-8241-B18A-B653-37460E458990} - C:\WINDOWS\system32\addcq32.dll

    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe --> Delete Updmgr Folder
    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [syswe.exe] C:\WINDOWS\system32\syswe.exe
    O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
    O4 - HKLM\..\RunOnce: [javami32.exe] C:\WINDOWS\system32\javami32.exe

    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: http://www.distance-education.itt-tech.edu ---> This should go too – You should Keep Trusted Zone empty!
    O15 - Trusted Zone: *.awmdabest.com (HKLM)
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted IP range: 206.161.125.149
    O15 - Trusted IP range: (HKLM)

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/7cdaa525/enter.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
    O23 - Service: Network Security Service - Unknown - C:\WINDOWS\wingf.exe (file missing)
    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    C:\WINDOWS\system32\hmqcv.dll
    C:\WINDOWS\system32\addcq32.dll
    C:\Program Files\Common files\updmgr ---> The Folder
    C:\PROGRAM FILES\COMETS~1 ---> The Folder
    C:\WINDOWS\system32\syswe.exe
    C:\WINDOWS\system32\tibs5.exe
    C:\WINDOWS\system32\javami32.exe

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log. Remember, after you submit the new HJT Log, YOU MUST NOT REBOOT or the baddies will mutate!

    Best luck :)
    PP
     
    Last edited by a moderator: Feb 13, 2005
    PhilliePhan, Feb 13, 2005
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds