Fix any line item references (below) to the following sites if you don't know why you are going to these sites:
http://www.adelphia.net/index.php
http://www.gatewaybiz.com
Quote:
|
C:\Documents and Settings\Owner\Desktop\hijackthis.exe
|
Needs to be in a FOLDER such as:
C:\Program Files\hijackthis\hijackthis.exe
HijackThis is running from an ill-advised location. Need to move it to its own FOLDER to avoid horrible clutter on the desktop (see previous instructions on this).
Read over the following directions. Ask if anything appears unclear to you.
Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat
We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\se\v11\se.DLL (file missing)
O4 - HKLM\..\Run: [SYSUPD] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [WDSKCTL] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [SEARCH-EXE] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [BULLSEYE NETWORK] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VIEWMGR] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: (no name) - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: IMI - {A80F2DB2-80A9-4834-8F5A-4AB70F4EF4C3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/trans/SysUpd.CAB
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
HIDDEN FILES: To make sure you can see all hidden files, please follow the directions
here
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained
here if needed).
Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):
Go to Start > Run and type:
CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for: - Temporary Internet Files
- Downloaded Program Files
- Recycle Bin
- Temporary Files
Click OK or Enter
For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.
***** Clean out the
Recycle Bin for items removed below,
ONLY once you have regained the full functional use of your PC.
Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
DELETE FILES:
C:\WINDOWS\sysupd.exe
C:\WINDOWS\wdskctl.exe
DELETE APPLICATION FOLDERS (verify they haven't reloaded)- Go to Add/Remove Programs
- In Control Panel>Add/Remove Programs look for any related entries for unwanted items listed below (or anything else you need to investigate or did not put in there).
- UNINSTALLER Alternate SEARCH: Otherwise, advisable to locate and try right-clicking on any of the given SEARCH FOLDER items below and further search (tick include subdirectories) for the following exact text:
UN*.EXE, *UN*.EXE
This may reveal an uninstaller with label terms such as '...uninstall...EXE', ‘unins000’, or 'unwise.EXE'. Double-click that EXE, if one is found. Thereafter, check to ensure that the folder is completely gone. Otherwise, consider deleting the folder in question.
-----> C:\Program Files\se
-----> C:\Program Files\BullsEye Network
-----> C:\Program Files\Viewpoint
-----> C:\Program Files\AWS
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.