Hijack This Log sandoxer jmnad1

Lo all!

First of all, fantastic forum! Lots of information here it seems, so congrats!

Secondly... I'm hoping someone can lend me a hand sorting out an adware problem with the two addies in the thread title. I've tried everything to get rid of them, and don't even now how they got onto my system in the first place. I only surf a very limited number of websites on the whole... so it's extremely frustrating to have gotten this...

Anyway, another thread (https://www.wilderssecurity.com/showthread.php?t=39136&goto=nextoldest) highlighted my problem, but as it seems log dependent, I feel more comfortable asking here just to verify I'm not going to do anything I'll regret. Furthermore, I ONLY use firefox, and this is an IE popup, and even uninstalling IE in control panel hasn't gotten rid of them....

Downloaded memory watcher as recommended by pieter, but I can't tell what that does... any advice from here would be VERY much appreciated. Thank you.

 

Hi !

I'm sure you mean you downloaded MemoryWatcher UNINSTALLER which would remove many adware programs
Tick the following items in HijackThis and then close all programs and fix them
Reboot, let us know

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=134272
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=134272

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=134272
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://default-homepage-network.com/start.cgi?new-hkcu
R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\plg0\AproposPlugin.dll

O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - G:\WINDOWS\System32\NDrv.dll

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - (no file)

O4 - HKLM\..\Run: [jwD.exe] G:\windows\temp\jwD.exe
O4 - HKLM\..\Run: [qqpihx] G:\WINDOWS\System32\glpknb.exe
O4 - HKLM\..\Run: [AutoLoaderr0py1JWlXLPN] "G:\WINDOWS\System32\slbllreg.exe" /PC="AM.WILD" /HideUninstall

O4 - HKLM\..\Run: [Power Scan] G:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [r76O37j] slbllreg.exe

O4 - HKCU\..\Run: [awpERXHng] paccon.exe
O4 - HKCU\..\Run: [Tuew] G:\Documents and Settings\El Gaucho\Application Data\atta.exe
O4 - HKCU\..\Run: [NDrv] G:\WINDOWS\System32\NDrv.exe

I'd appreciate if you find all the EXE and DLL files referenced there and send them to submit @ diamondcs.com.au

The one that is a bit iffy is
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

Sure it could be legit.. fix it but send me that if you want to be sure, it could be for one of your programs. Can you tell by looking at it ?

 

Thanks for the reply Gavin!

I've followed your instructions, and in addition have sent all the exe's and dll files to the email shown in your reply in a zip file, except where otherwise stated, and detailing the reason behind it.

This is my new logfile, though I can't tell for sure it's all gone yet.

Many thanks again! I'll update if I find anything new!

PS: I HAVE left the autoupdate.exe intact, although I could not identify what it pertained to. It strikes me as odd that an autoupdate should be running from C: where my system and all installed apps are on other drives in this partition. It, and a dll (libexpat.dll) in the same folder, are attached in the email also.

 

Hello,

Run Hijackthis again and check these items and then on Fix:

R3 - URLSearchHook: {EA551C00-2AE5-11d3-8592-00A0C98E9EA4} - - (no file)

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r76O37j] lindpa.exe
O4 - HKCU\..\Run: [awpERXHng] lnko35.exe

Reboot the computer into safe mode

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Find and delete these files/folders:

C:\Program Files\AutoUpdate
lindpa.exe
lnko35.exe

Reboot and run HJT again and post a new log here.