Hydemybroknheart Posted June 9, 2005 Share Posted June 9, 2005 I need help deleting win-eto of my homepage.....somthing everyone has..here is my HJT log thingie whatever. Just tell me what to delete and how to get to the R1s and stuff like that so that I can delete them.. Logfile of HijackThis v1.99.1 Scan saved at 1:59:13 PM, on 6/9/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\System32\ot33ry4x8ethd.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\AIM\aim.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\NORTON~1\navw32.exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\UPX4MI~1.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\ot33ry4x8ethd.exe O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://vparivalka.com/G7/chm10.chm::/ieloader.exe O16 - DPF: {1ACDF1F3-8D95-1021-5FC0-41A137DD365F} - http://69.50.182.94/1/gdnUS1862.exe O16 - DPF: {2C373C7B-8DBE-0847-AC41-06D7656694CD} - http://69.50.173.166/1/gdnUS1862.exe O16 - DPF: {2E7B30F5-3054-18DE-5DEB-137E2472EA0F} - http://69.50.173.166/1/gdnUS1862.exe O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {32D21812-9623-5C18-92A7-4D60784C793B} - http://69.50.173.166/1/gdnUS1862.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1425d414ad0d84...ip/RdxIE601.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O20 - AppInit_DLLs: tihh9ilk58bw7.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe I know nothing of hardcore computer stuff so tell it to me where I can understand...major props for anyone who can help! Link to comment Share on other sites More sharing options...
jw50 Posted June 10, 2005 Share Posted June 10, 2005 Hi Hydemybroknheart, Very Important!!! Please create a permanent folder for HijackThis (I suggest C:\HJT or C:\HijackThis) and move the HijackThis program there. HijackThis will create a number of backup files which may be lost, along with HijackThis, if left in a temporary folder. To create a permanent folder: Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ or C:\HijackThis\ folder. Put your HijackThis.exe there, and double click to run it. Always make sure you run HijackThis from the permanent folder. Download CWShredder Double click on CWShredder.exe to run the program. Click Fix and then Next, let it fix everything it asks about. When the scan is completed and all files are removed, close the application. Download, install, update, configure, and run Ad-Aware SE Personal 1.06. Download Ad-Aware SE Personal 1.06: Download Ad-Aware SE Personal 1.06. Save aawsepersonal.exe to a convenient location. [*]Install Ad-Aware SE Personal 1.06: Double-click on aawsepersonal.exe to install the program. Follow the default settings for installation. After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes. [*]Update Ad-Aware SE Personal 1.06: Double-click the Ad-Aware SE Personal icon on your desktop. Click "Check for updates now" then click "Connect". It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish". [*]Configure Ad-Aware SE Personal 1.06: Click on the Gear button at the top of the window. Click "General" on the left hand side to display the General Settings box.Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Automatically save logfile" "Automatically quarantine objects prior to removal" "Safe Mode (always request confirmation)" "Prompt to update outdated definitions" - change to 7 days from the default 14. [*]Click "Scanning" on the left hand side to display the Scan Settings box. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Scan within archives" "Select drives & folders to scan" - select your hard drive(s). "Scan active processes" "Scan registry" "Deep-scan registry" "Scan my IE favorites for banned URLs" "Scan my Hosts file" [*]Click "Advanced" on the left hand side to display the Advanced Settings box. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Move deleted files to Recycle Bin" "Include additional object information" "Include negligible objects information" "Include environment information" [*]Click "Defaults" on the left hand side to display the Default Settings box. Make sure these items have your preferred settings in them.: "Default homepage" "Default searchpage" [*]Click "Tweak" on the left hand side to display the Tweak Settings box. Click the + (plus) sign next to the Log Files section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Include basic Ad-Aware settings in log file" "Include additional Ad-Aware settings in log file" "Include reference summary in log file" "Include alternate data stream details in log file" [*]Click the + (plus) sign next to the Scanning Engine section. This will expand the section. [*]Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Unload recognized processes & modules during scan" "Scan registry for all users instead of current user only" "Obtain command line of scanned processes" [*]Click the + (plus) sign next to the Cleaning Engine section. This will expand the section. [*]Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Always try to unload modules before deletion" "During removal, unload Explorer and IE if necessary" "Let Windows remove files in use at next reboot" "Delete quarantined objects after restoring" [*]Once you are done with these settings, click "Proceed" to save them. [*]This will take you back to the main screen. [*]Run Ad-Aware SE Personal 1.05: Click the "Start" button. Uncheck the "Search for negligible risk entries" entry. Choose the "Use custom scanning options" scan mode. Click the "Next" button. Ad-Aware will begin to scan for malware residing on your computer. Allow the scan to finish. Right-click on any entry in the list and click "Select All" to select the whole list. Click "Next" and choose "OK" at the prompt to quarantine and remove the objects. Download Pocket Killbox: http://www.downloads.subratam.org/KillBox.zip Place it in a folder on your Desktop. Do not run it yet. Run HijackThis and place checks beside each of the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\UPX4MI~1.DLL O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\ot33ry4x8ethd.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://vparivalka.com/G7/chm10.chm::/ieloader.exe O16 - DPF: {1ACDF1F3-8D95-1021-5FC0-41A137DD365F} - http://69.50.182.94/1/gdnUS1862.exe O16 - DPF: {2C373C7B-8DBE-0847-AC41-06D7656694CD} - http://69.50.173.166/1/gdnUS1862.exe O16 - DPF: {2E7B30F5-3054-18DE-5DEB-137E2472EA0F} - http://69.50.173.166/1/gdnUS1862.exe O16 - DPF: {32D21812-9623-5C18-92A7-4D60784C793B} - http://69.50.173.166/1/gdnUS1862.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1425d414ad0d84...ip/RdxIE601.cab O20 - AppInit_DLLs: tihh9ilk58bw7.dll After you check these items, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis. Extract Pocket KillBox from the zip file and double-click on Killbox.exe to run it. In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files. When done, and back at the main screen of KillBox, select the option: Delete on Reboot Then, in the Full Path of File to Delete box, copy and paste this entry: C:\WINDOWS\System32\UPX4MI~1.DLL Press the button with a red circle and a white X (Delete File button) Click Yes at the Delete on Reboot confirmation prompt. Click No at the request to reboot. Do the exact same as above for each and every one of the files that follow, and select No at the request to reboot! C:\WINDOWS\System32\ot33ry4x8ethd.exe Finally, in the Full Path of File to Delete, copy and paste the following: C:\WINDOWS\System32\tihh9ilk58bw7.dll <--it is quite likely that this file name will have changed if you have rebooted since you posted your log. If it has changed just replace tihh9ilk58bw7.dll with the file name shown on the O20 - AppInit_DLLs: line when you run HijackThis. Press the button with a red circle and a white X. Click Yes at the Delete on Reboot prompt. Click Yes at the request to reboot. On this last file, close KillBox and Notepad, and Reboot the computer!! Run HijackThis and post a new log. Link to comment Share on other sites More sharing options...
Recommended Posts