Here is my logfile. I have tried everything and I am hoping this will finally work.
I have run Spybot and Ad-Aware and cleaned what those suggest.
Logfile of HijackThis v1.99.0
Scan saved at 2:30:44 PM, on 2/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
welcome to dal the online computer help forum could you please first follow the advice on the link called owens help then posta fresh hijack this log then somew body can check it for you also update your version of hjt
if you need further help to do this please come back to me
I did do all that and even tried to downlaid the version of hijacthis on Owens page...said I had it already. I ran spybot, and adaware and hijacthis and then posted the hijacthis log....what else do I need to do?
Logfile of HijackThis v1.99.1
Scan saved at 6:23:03 PM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I just downloaded AVG and found 124 trojans!! :[ McAfee didn't find them so we are now AVG lovers!!!! Anyway the about:blank is gone.....YAHOO! Here is a fresh log to be checked just in case.
Your site has been an amazing source of useful information.....MANY THANKS!
oops, in all my excitement, I forgot to submit the log, here it is.
Logfile of HijackThis v1.99.1
Scan saved at 11:48:26 AM, on 2/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Hello,
Please could you download and unzip About:Buster from AboutBuster. Leave it for now, we'll use it later. Also download and install Ad-aware from here.
Once you have installed Ad-aware, run the program and in the bottom right hand corner click Check For Updates. Update Ad-aware following the prompts and then close the program, we will use it later.
Locate Workstation NetLogon Service. Double click it and click the Stop button in the Properties window. Select Disabled from the drop down menu next to Startup Type. Click Ok and exit Services.
Press Ctrl+Alt+Del to get into Task Manager. Once in Task Manager, end the following processes (if they exist):
d3tq32.exe
Restart Hijack This and put a checkmark next to these entries and click Fix Checked:
Now run the file aboutbuster.exe that we downloaded earlier. When the tool is open press the Ok button, then the Start button, then the Ok button, and then finally the Yes button. If it asks if you would like to do a second pass, allow it to do so.When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
Click File> Save As. Click the drop down arrow next to Save as type: and select all files. In the filename box type fix.reg. Save it to a convenient location. Once saved, double click it and confirm that you want it to merge with the registry.
Now Start Ad-aware
We need to configure Ad-aware for a full scan.
Click on the Gear icon (second from the left) to access the preferences/settings window
1. In the General window make sure the following are selected:
Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
Scan Within Archives
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file
Under Click here to select drives + folders, choose:
All of your hard drives
Click on the Advanced button on the left and select:
Include additional process information
Include additional file information
Include environment information
Click the Tweak button and select:
Under the Scanning Engine:
Unload recognized processes & modules during scan
Include additional Ad-aware settings in logfile
Under the Cleaning Engine:
Let Windows remove files in use at next reboot
Click on Proceed to save the settings.
Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
Use Custom Scanning Options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Save the log file when it asks and then click Finish
When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
Then go to Start> Run and type cleanmgr.
Put a checkmark next to: Temporary Files
Temporary Internet Files
Recycle Bin
Click Ok
Reboot into Normal Mode.
Note: Two, possibly three files may have been deleted from your computer by the hijacker and may need to be replaced:
Control.exe. If control.exe is missing go to merijn and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.
hosts (with no extension). Download the Hoster. Press "Restore Original Hosts" and press "OK". Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself
SDHelper.dll (if you are using Spybot Search & Destroy). If you have Spybot S&D installed and SDHelper.dll is missing, replace it with this one. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow all ActiveX. In IE, click Tools> Internet Options and then click the Security tab. Click on Custom Level and make sure that the following settings are correct:
Download signed ActiveX controls (Prompt)
Download unsigned ActiveX controls (Disable)
Initialize and script ActiveX controls not marked as safe (Disable)
Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
Script ActiveX controls marked safe for scripting (Prompt)
[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!
If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.
Hi, thanks for your response. Here is the aboutbuster log and new hijack log.
Here is a problem that has still remained for us:
1. before this whole process we were trying to install the XP Service Pack 2. We get through the extraction, starting the backup and this error comes up everytime:
“Service Pack 2 Setup could not back up registry value
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Se curity\Security,\`EventMessageFile\`. 5: Access is denied
We have gone in and given full control to the whole HKLM….yet when I rebooted out of Safe Mode to go and try and install again, I went back to uncheck full control and it had unchecked itself.
Is this installation problem because of this spyware or something else?
Thanks again for alllllllll your wonderful help!!!
Scanned at: 11:16:03 AM on: 2/25/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Scanned at: 9:25:12 AM on: 2/26/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Scanned at: 10:41:40 AM on: 2/26/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Logfile of HijackThis v1.99.1
Scan saved at 9:05:20 PM, on 2/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Please download the attached DelDomains.zip. Unzip it and right click the file DelDomains.inf and from the drop down menu, click Install. It will perform a silent process.
Warning: This will delete all sites in the IE Trusted and Restricted Zones! If you have made immunizations with software such as SpywareBlaster and Spybot, you will need to perform them again after this procedure.
[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!
If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.
Click on the Gear icon (second from the left) to access the preferences/settings window
