My mother's computer was been infected with all sorts of spyware, trogans, malware etc. I've run AVG, Adaware, Spybot and Winpatrol to get rid of a lot of it, but some still persists. Most noticeably is 'Quick Web Search' taking over IE with about:blank. (We do use Firefox, but it would be nice to clean out everything.)
Here is a copy of the HijackThis logfile. Any help would be appreciated! Thank you so much:
Logfile of HijackThis v1.99.1
Scan saved at 2:17:55 PM, on 3/30/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Please print out or copy this page to [B]Notepad[/B] in order to assist you when carrying out the following instructions.
Please download CWSserviceRemove([url]http://castlecops.com/modules/Forums/attachments/cwsserviceremove_568.zip[/url]). Unzip it to your desktop we'll run it later.
Download, unzip to your desktop [url=http://www.majorgeeks.com/download4289.html]About:Buster[/url] and run it, then:
1. Click "[b][i]Update[/i][/b]".
2. Click "[b][i]Check For Update[/i][/b]"
Close the program
If you don't already have it, download, install and run [url=http://www.lavasoft.de/support/download/]AdAware SE Personal[/url].
-
Next, check for, and download any available updates:
1. click "[b][i]Check for updates now[/i][/b]".
2. Click "[b][i]Connect[/i][/b]".
3. If updates(definitions) are available click "[b][i]Ok[/i][/b]", otherwise, click "[b][i]Ok[/i][/b]".
4. Click "[b][i]Finish[/i][/b]".
close the program
Download, unzip to your desktop [url=http://www.intermute.com/spysubtract/cwshredder_download.html]CWShredder[/url] and run it, then:
1. Click "[b][i]Check For Update[/i][/b]" make sure your version is 2.14
([i]If an update isn't available, skip to step #4.[/i])
2. Click "[b][i]Click here to Download the upate[/i][/b]".
3. When the new version has been downloaded, click "[b][i]Save[/i][/b]".
close the program
------------------------
Safemode: Some motherboards have F8 bound as the boot menu, but if you wait till the BIOS screen summary goes away, then hit F8, it should take you into the Windows startup screen.
If you still can't get to the menu with Safe Mode you can do it this way:
Close all open programs as this will require a reboot.
Click Start, Run and type in [b]MSCONFIG[/b] and click [b]OK [/b]
The System Configuration Utility appears, click on the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
The computer will restart in Safe mode.
[b]Complete the instructions below.[/b]
[b][color=red]When you are finished in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer [/color][/b]
--------------------------
Go to Start->Run and type in services.msc and hit OK.
Then look for [b]Remote Procedure Call (RPC) Helper[/b]
Double click on it. Click on the Stop button and under Startup type, choose Disabled.
[b]DO NOT DISABLE
[color=red]Remote Procedure Call (RPC)[/color] OR
[color=red]Remote Procedure Call (RPC) Locator[/b][/color]
Open Hijack This and click on Scan. Check the following entries, [color=red]if they are still there.[/color][B](make sure you do not miss any)[/B]
[B][I]Please remember to close all other windows, including browsers then click Fix checked.[/I][/B]
Delete the following Files indicated in [b][color=red]RED[/color][/b] and Folders indicated in [b][color=blue]BLUE[/color][/b][B] if they still exist.[/B]
C:\WINNT\[b]sysgf.dll[/b] << This file
C:\WINNT\[b]xvlhv.dll[/b] << This file
C:\WINNT\[b]iecr32.exe[/b] << This file
Now double-click on the cwsserviceremove.reg file and when it prompts to merge, say Yes. This will clear some registry entries left behind by the malware infections.
then run these three in a row
CWShredder.exe
aboutbuster.exe.
ad-aware
comeback and post a new hijackthis log and the about buster logs
let me know how it went
Lobos
Posted by: Warez Monster
Remove entries at your own risk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xvlhv.dll/sp.html#37049
Nasty This entry should be fixed by HijackThis!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xvlhv.dll/sp.html#37049
Nasty This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about :blank
Possibly nasty This page could possibly be nasty. If you do not know the entry 'about :blank', delete it.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xvlhv.dll/sp.html#37049
Nasty This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\xvlhv.dll/sp.html#37049
Nasty This entry should be fixed by HijackThis!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xvlhv.dll/sp.html#37049
Nasty This entry should be fixed by HijackThis!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\xvlhv.dll/sp.html#37049
Nasty This entry should be fixed by HijackThis!
R3 - Default URLSearchHook is missing Should be fixed if you do not know the application or if no application is mentioned. This entry should be fixed.
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url] This entry is possibly nasty. Should be fixed.
