Please HELP !!!!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dperino2000, Dec 21, 2004.

  1. dperino2000

    dperino2000 Private E-2

    I don't know what I picked up, but I, like everyone else, am getting endless pop-ups. I have read the "DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan and Virus Removal" and have tried everything that they suggested. I even ran HijackThis, compared my list to the list on the web and fixed anything that was listed as malicious. However, this has not fixed the problem. I am not posting my HJT log until requested. Can anyone help? Thanks in advance.

    - David
     
    dperino2000, Dec 21, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Dec 21, 2004
    #2
  3. dperino2000

    dperino2000 Private E-2

    I think I may have finally taken care of the problem. So far, in the past four hours, I have not had any pop-up problems. So I will not have to bother you with my HJT log after all. Thank you for your help. This site ROCKS!!!
     
    dperino2000, Dec 22, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Ok! Just let us know it you still have a problem after checking it out for awhile.
     
    chaslang, Dec 22, 2004
    #4
  5. dperino2000

    dperino2000 Private E-2

    Nope, I was wrong....it's still infected. This morning as I booted up I got hit with a bunch of pop-ups. One of the pop-ups in particular that keeps coming up is an advertisement for a Registry Cleaner. It says something about VBScript on top bar of the window. Anyway, I am posting my HJT log. If you could check it out I would be most appreciative. Thanks.
     

    Attached Files:

    dperino2000, Dec 23, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Consider upgrading yourself to Win2000 SP4
    You must remember to ALWAYS exit all browsers before running HJT. You had this running.
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINNT\ZServ.dll
    then click OK. If a dialog box confirming this action appears, click OK.

    Repeat the above procedure to unregister each of the below three files too:
    C:\WINNT\BTGrab.dll
    C:\WINNT\System32\wqszi.dll
    C:\WINNT\System32\oizvz.dll

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINNT\ZServ.dll
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
    O2 - BHO: SDWin32 Class - {02056D12-6CC9-40A6-90B7-2C3FC34F6C7B} - C:\WINNT\System32\wqszi.dll
    O2 - BHO: SDWin32 Class - {5ECA34EE-DBDC-441E-B4EA-08C5036D9B85} - C:\WINNT\System32\oizvz.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/install/iftwclix.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/276e1827b29f7f64a116/netzip/RdxIE2.cab


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\ZServ.dll
    C:\WINNT\BTGrab.dll
    C:\WINNT\System32\wqszi.dll
    C:\WINNT\System32\oizvz.dll

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 23, 2004
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds