Thread: Help with spyware and hijack this logs
View Single Post
  #4 (permalink)  
Old 26-03-2006, 10:43 PM
Neal's Avatar
Neal Neal is offline
Senior Member
  
Join Date: Sep 2005
Posts: 5,594
Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!Neal is a D-A-L Rockstar!
Re: Help with spyware and hijack this logs
Hi,


Print these instructions out.


Don't run the tool just yet, we will from safe mode in a bit
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
=============================================
If you use Firefox Browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

=============================================
If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

=============================================


Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5



Run hijackthis and click on scan button and put checks next to these items:


0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,wlcclpl.exe

O2 - BHO: BMG3.LongTooth - {8110581C-FEA4-47AC-ADBC-DE958DD0F354} - C:\WINDOWS\system32\{8110581C-FEA4-47AC-ADBC-DE958DD0F354}.dll

O4 - HKLM\..\Run: [ms0509283-3207] C:\WINDOWS\ms0509283-3207.exe
O4 - HKLM\..\Run: [uyilbi] C:\WINDOWS\system32\vheubj.exe reg_run
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\system32\expload.exe
O4 - HKLM\..\Run: [F4F5FBF6FEF6FEF] 0C0D130E160E1.exe
O4 - HKCU\..\Run: [rupnc] C:\WINDOWS\system32\vheubj.exe reg_run

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)

O16 - DPF: {886DDE35-E585-11D0-A707-000000521958} - http://69.56.176.76/webplugin.cab


Again make sure all browser windows are closed and click FIX


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


Hunt for and delete if present:


wlcclpl.exe
C:\WINDOWS\ms0509283-3207.exe < file
C:\WINDOWS\system32\vheubj.exe < file
C:\WINDOWS\errorhandler.exe < file
C:\WINDOWS\system32\expload.exe < file
0C0D130E160E1.exe < file


Now run ATF cleaner from safe mode following instructions previously stated


Reboot normal mode and give me another Panda scan log please.
__________________
Stalking and killing Spyware

Have we helped you? Please consider a donation to help keep D-A-L free. Click on donate below



MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis Log __V2.0.2 _|



ASAP: promoting a high standard and quality of security support no matter where you seek help.

Reply With Quote