Clarification of Answer by
livioflores-ga
on
16 Oct 2004 22:30 PDT
Hi!!
Wow!! Your system is plenty of spyware and other pests. Did you use
Adaware? If not give it a chance. I notice that you have installed
Spyware Stormer, this software is considered a bad one of this type,
so I suggest you to uninstall it and use Adaware (it is one of the
better and it is free). Spyware Stormer is suspected of act as an
spyware. See the following costumers' reviews:
"Spyware Stormer - User opinions and free download at Download.com":
http://www.download.com/3302-8022_4-10297449.html
Print these instructions in order to read them while you are cleaning your PC.
Uninstall Windows SyncroAd from Control Panel --> Add/Remove Software.
(if you cannot uninstall it don't worry, continue with the rest of the
instructions)
Perform an online antivirus scan at HouseCall:
Click on the "Scan Now. It's Free!" link and accept all the required
downloads and temporary installs.
http://housecall.trendmicro.com/
Remove found trojans and viruses (if any) and then reboot.
Now download and run CWShredder to remove the CoolWebSearch spyware:
http://www.majorgeeks.com/download4086.html
Reboot your computer and run Adaware, let it fix every thing that it
found and reboot again.
Now copy HijackThis into its own folder:
Click My Computer --> then C:\ --> At menu bar: File->New->Folder -->
A folder named New Folder will be created, rename it to HJT to have a
C:\HJT\ folder --> Move HijackThis there. HijackThis makes backups of
everything you fix, these backups will be saved in the same folder the
program is.
Now run HijackThis, scan and check the following items (DON'T FIX YET):
If you have run Adaware and CWShredder before run HJT some of the
following entries will not be found (and this is a good new!!).
All the R0 and R1 section:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
= http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
= http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://homepage.com�%00@www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://213.159.117.134/index.php
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: DOMPeek Class - {834261E1-DD97-4177-853B-C907E5D5BD6E} -
C:\WINDOWS\dpe.dll
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware
Stormer\SpywareStormer.Exe (this one only if you want to disable it -suggested-)
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Devon\Application Data\amee.exe
O4 - HKCU\..\Run: [Pyemj] C:\WINDOWS\System32\t?skmgr.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
The complete O16 section.
Now close all open browsers and windows and Click 'Fix Checked'.
Reboot into Safe Mode:
"Starting your computer in Safe mode":
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
Run Hijack this, go to Config > Misc Tools > Open process manager.
Select the following processes one at a time and click "Kill Process".
Do not worry if they are not all listed:
C:\WINDOWS\System32\systime.exe
C:\Program Files\Spyware Stormer\SpywareStormer.Exe (this one only if
you want to disable it -suggested-)
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\WINDOWS\System32\systime.exe
C:\Documents and Settings\Devon\Application Data\amee.exe
C:\WINDOWS\System32\t?skmgr.exe
PowerReg Scheduler V3.exe
PowerReg Scheduler.exe
Display hidden files, file extensions and folders:
Go to Start --> Run --> Type 'control folders' (w/o quotes) and press
enter --> On the displayed box go to the View tab --> Check "Show
hidden files and folders" --> Uncheck "Hide protected Operating System
files" and "Hide file extensions..." --> Click Apply to all folders
button --> Accept.
See "How to Show System Files":
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Open an Explorer window and surf your computer to delete the following files:
·C:\WINDOWS\dpe.dll
·C:\WINDOWS\System32\systime.exe
·C:\Program Files\Spyware Stormer\SpywareStormer.Exe (this one only if
you want to disable it -suggested-)
·C:\Program Files\Windows SyncroAd\SyncroAd.exe
·C:\WINDOWS\System32\systime.exe
·C:\Documents and Settings\Devon\Application Data\amee.exe
·C:\WINDOWS\System32\t?skmgr.exe ,here try to find any file that
matches this pattern and delete it: for example tqskmgr.exe . Any file
except taskmgr.exe
·PowerReg Scheduler V3.exe
·PowerReg Scheduler.exe
Clear Temporary Folders\Files and Internet Files
Go to start --> Run --> Type cleanmgr --> Enter.
Make sure only the following are checked:
·Temporary Internet files
·Recycle Bin
·Temporary Files
Click OK
Repeat the steps for clearing temporary folders\files and internet
files for all users.
Disable System Restore:
Right Click on "My Computer" at desktop --> Select Properties --> Go
to the System Restore Tab --> Check 'Turn off System Restore on all
drives' --> Click Apply --> Unckeck 'Turn off System Restore on all
drives' --> Accept.
Reboot in normal mode (as always), run HijackThis, scan and post the new log.
I hope that the new log will be a clean one.
Regards.
livioflores-ga
