Hijack This Log sandoxer jmnad1

Discussion in 'adware, spyware & hijack cleaning' started by elgaucho, Jul 20, 2004.

Thread Status:
Not open for further replies.
  1. elgaucho
    Offline

    elgaucho Registered Member

    Lo all!

    First of all, fantastic forum! Lots of information here it seems, so congrats!

    Secondly... I'm hoping someone can lend me a hand sorting out an adware problem with the two addies in the thread title. I've tried everything to get rid of them, and don't even now how they got onto my system in the first place. I only surf a very limited number of websites on the whole... so it's extremely frustrating to have gotten this... :(

    Anyway, another thread (http://www.wilderssecurity.com/showthread.php?t=39136&goto=nextoldest) highlighted my problem, but as it seems log dependent, I feel more comfortable asking here just to verify I'm not going to do anything I'll regret. Furthermore, I ONLY use firefox, and this is an IE popup, and even uninstalling IE in control panel hasn't gotten rid of them....

    Downloaded memory watcher as recommended by pieter, but I can't tell what that does... any advice from here would be VERY much appreciated. Thank you. ;)

  2. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Hi !

    I'm sure you mean you downloaded MemoryWatcher UNINSTALLER which would remove many adware programs :)
    Tick the following items in HijackThis and then close all programs and fix them
    Reboot, let us know

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=134272
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=134272

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=134272
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
    R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\plg0\AproposPlugin.dll

    O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - G:\WINDOWS\System32\NDrv.dll

    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

    O4 - HKLM\..\Run: [jwD.exe] G:\windows\temp\jwD.exe
    O4 - HKLM\..\Run: [qqpihx] G:\WINDOWS\System32\glpknb.exe
    O4 - HKLM\..\Run: [AutoLoaderr0py1JWlXLPN] "G:\WINDOWS\System32\slbllreg.exe" /PC="AM.WILD" /HideUninstall

    O4 - HKLM\..\Run: [Power Scan] G:\Program Files\Power Scan\powerscan.exe

    O4 - HKLM\..\Run: [r76O37j] slbllreg.exe

    O4 - HKCU\..\Run: [awpERXHng] paccon.exe
    O4 - HKCU\..\Run: [Tuew] G:\Documents and Settings\El Gaucho\Application Data\atta.exe
    O4 - HKCU\..\Run: [NDrv] G:\WINDOWS\System32\NDrv.exe

    I'd appreciate if you find all the EXE and DLL files referenced there and send them to submit @ diamondcs.com.au

    The one that is a bit iffy is
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    Sure it could be legit.. fix it but send me that if you want to be sure, it could be for one of your programs. Can you tell by looking at it ?
  3. elgaucho
    Offline

    elgaucho Registered Member

    Thanks for the reply Gavin!

    I've followed your instructions, and in addition have sent all the exe's and dll files to the email shown in your reply in a zip file, except where otherwise stated, and detailing the reason behind it.

    This is my new logfile, though I can't tell for sure it's all gone yet.

    Many thanks again! I'll update if I find anything new! :)

    PS: I HAVE left the autoupdate.exe intact, although I could not identify what it pertained to. It strikes me as odd that an autoupdate should be running from C: where my system and all installed apps are on other drives in this partition. It, and a dll (libexpat.dll) in the same folder, are attached in the email also.
  4. Taz71498
    Offline

    Taz71498 Registered Member

    Hello,

    Run Hijackthis again and check these items and then on Fix:

    R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [r76O37j] lindpa.exe
    O4 - HKCU\..\Run: [awpERXHng] lnko35.exe

    Reboot the computer into safe mode

    Because XP will not always show you hidden files and folders by default.
    Reset your search settings first.

    Open Folder Options>view and check your settings:
    Select
    Show hidden files and folders
    Display the contents of system folders
    Uncheck: Hide protected operating system files
    Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
    Be sure the first three boxes are selected:
    Search System folders
    Search Hidden Files and folders
    Search SubFolders

    Find and delete these files/folders:

    C:\Program Files\AutoUpdate
    lindpa.exe
    lnko35.exe

    Reboot and run HJT again and post a new log here.
Thread Status:
Not open for further replies.