Newbie Question

I was trying to follow the rules under the read me first section and I had a quick question. I have all of the files downloaded to a folder and booted into safe mode to do the online scan. There were about 160 files that were found but it says that they can't be cleaned. Do I delete them or just ignore them for now. Thanks,
Ron

 

Delete all infected files and procede with the READ ME. After you complete every step in the READ ME that applies to you then attach a HJT log as an attachment to your post.

 

Ok I did everything in the readme exept I could not get the second online scan to run in safe mode or regular. I will attach my HJT log. I don't know if it makes any difference but this my computer at work. We only have about ten people so there is not an IT person. I am by no means up to geak status myself either. Thanks for the help.

 

Download Pocket KillBox
(Don't run it yet)


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jjhew.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jjhew.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jjhew.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jjhew.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jjhew.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jjhew.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jjhew.dll/sp.html#37049

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {EAE713DF-118F-1F39-EFC8-4D77F572DB1F} - C:\WINNT\sysft.dll

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [msio.exe] C:\WINNT\msio.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(This restriction is added from Spybot S&D or Ad-Aware, this need to be removed from the program)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.



Locate PocketKillbox

Now, Copy and Paste C:\WINNT\system32\jjhew.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\system32\ntyr32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\sysft.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINNT\msio.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your system. After you have rebooted and windows has loaded, post a fresh HJT log.

 

OK, I followed the steps you listed and I am attaching my new HJT log. Everything seems to be ok now. Thanks agian for all of your help.

 

Scan with HijackThis and Check the Boxes for the following:

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\ntyr32.exe (file missing)

Make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\ntyr32.exe (file missing) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner

After you complete the above, reboot and post one last HJT log.

 

Here is the latest HJT log. Almost everything is perfect exept I can't get rid of some unwanted favorites in IE.

 

Scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

After you remove the above entries your log will be clean. As far as the problem with the favorites, go into the directory and manually remove them.

C:\Documents and Settings\YOUR USERNAME\Favorites

Afterwards, let me know if any problems remain!