Another about:blank hijacker (eecd/dll)

Discussion in 'adware, spyware & hijack cleaning' started by Jerbear, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    Running Windows XP Home Edition and IE 6.0.

    Got a bug and/or bugs infecting my system.

    Used SpHifix to restore Spywareblaster.

    Ran updated scans with Adaware, Spybot, Aluria's Spyware Eliminator, Norton Anti-Virus 2004, Panda On-line virus scan, Trojan Hunter and Browser Hijack Blaster.

    Below is my Hijack This log:

    Sorry, was unable to successfully show it. Would appreciate someone telling me how to properly copy and paste it. Thanks in advance.
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Jerbear,

    I have moved your thread to this Forum where the experts will analyze your HighJackThis log. If you follow Step 2 of the below link....you'll see how best to post your HighJack This log.

    This link---> https://www.wilderssecurity.com/showthread.php?t=15913
     
  3. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    I know how to copy and paste a link, etc.. but don't know how to copy and paste this text document. Everything I try does not work.

    I right click on the text document and then click copy and then come here and do ctrl v but it does not show anything.
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    When you started the scan you pressed the Scan button. When the scan was finished that button should have changed to Save log ? When you then press the Save log button it asks where ? After you choose the location and save the highjackthis.log file it should then open in Notepad ? If it does open in Notepad....you should then be able to right click an area of that log file and Select All....then right click the Select All items and select copy. Then copy\paste that info into a post.

    If the above instructions were not succesful....you can upload the log file as an attachment into a post and we'll paste the log info into this thread.
     
  5. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    My Notepad is not working. It says: Program not found and then says: Type in the executable file to be used instead. Which I don't know what file to type in. I guess Notepad is corrupted also, because it always worked in the past.

    I would upload the file and send as an attachment like you mentioned, but don't know how to do that. You are dealing with a 71 yr. old computer iliterate.

    BTW, the eecd.dll file is shown in the list and everything else appears to be OK, but I will not delete or change anything until I can manage to get my log file on this forum.

    Please bear with me. Thank you.
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Patience of Job :)

    When the scan was finished were you able to save the file to a temporary location ?

    If so....when you respond to a post in the Reply to Thread area....there is a section below that named Additional Options. In that area is a Manage Attachments button that when you click on will bring up another box where you can browse to the location to where you saved the HJT log file and upload it as an attachment.
     
  7. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    Here it goes.
     

    Attached Files:

  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Thanks Jerbear,

    Those experts that voluntarily of their time assist with these logs will be along as soon as possible to review your log.

    _____________________________________________________________

    Jerbears HJT log

    Logfile of HijackThis v1.97.7
    Scan saved at 5:07:06 PM, on 6/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQInet.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\Internet Download Manager\IDMan.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Jerome Cobus\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://My Yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://My Yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {F3C24510-A037-4D0C-B10D-B525FF54980E} - C:\WINDOWS\System32\eecd.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [POINTER] c:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
    O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
    O9 - Extra button: Offline (HKLM)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://My Yahoo.com
    O14 - IERESET.INF: MS_START_PAGE_URL=http://My Yahoo.com
    O15 - Trusted Zone: http://.*.windowsupdate.com
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-5.8.3.20/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet/videopoker2/doubledeuce-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire45.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire45.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pogo.com/applet-5.8.3.20/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo.com - http://hspoker01.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo - http://vpjoke03.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.8.3.20/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.8.5.21/waterwheel/waterwheel-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.3.20/flinger/flinger-ob-assets.cab
    O16 - DPF: Pirate's Gold by pogo - http://swashbucks02.pogo.com/applet/piratesgold/piratesgold-ob-assets.cab
    O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: SciFi Slots by pogo - http://temp91.pogo.com/applet/slots/scifi-ob-assets.cab
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Sweet Tooth TM by pogo - http://temp35.pogo.com/applet/sweettooth/sweettooth-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.8.3.20/holdem/holdem-ob-assets.cab
    O16 - DPF: The Sims Pinball by pogo - http://simball01.pogo.com/applet/simball/simball-ob-assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.8.2.19/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo.com - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Video Poker by pogo - http://vpoker01.pogo.com/applet/videopoker2/videopoker-ob-assets.cab
    O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.3.26/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.3.20/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.1.28/worldclass/worldclass-ob-assets.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://www.ea.com/downloads/games/common/boot_strap/iegils.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083756551671
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {4226E9B7-D637-40E8-893A-13298AB41477} - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} - http://www.compaq.com/athome/support/PCHInstallTrust01.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/272d1be81590972a1817/netzip/RdxIE6.cab
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2003012801/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37874.5618287037
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security1.norton.com/us/sa/common/common/bin/cabsa.cab
    O16 - DPF: {C78AC153-1FB9-4198-986D-3613E49B152E} - http://download.microsoft.com/download/win2000platform/Utility/MPSA415/NT45XP/EN-US/mssecuredll.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} - http://www.callwave.com/include/cab/CWDL_DownLoad.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - http://www29.compaq.com/falco/SysQuery.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{12AF6D7A-522A-4B31-8DE5-629E75264FDE}: NameServer = 207.250.248.10 207.250.248.9
    O17 - HKLM\System\CS1\Services\Tcpip\..\{12AF6D7A-522A-4B31-8DE5-629E75264FDE}: NameServer = 207.250.248.10 207.250.248.9
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jerbear,

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    Before you start, please move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JEROME~1\LOCALS~1\Temp\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {F3C24510-A037-4D0C-B10D-B525FF54980E} - C:\WINDOWS\System32\eecd.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/272d1be81590972a1817/netzip/RdxIE6.cab

    Then start APM.
    In the upper window select explorer.exe
    In the lower window find and rightclick the BHO from the HijackThis log
    Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware to remove the txt and html protocol association.

    Regards,

    Pieter
     
  10. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    I really appreciate your response and assistance. I hope that I can correctly do what you indicate. In any event, I will post back and let the forum know of my results.

    Again, thank you. You guys are great.
     
  11. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    Downloaded and installed APM. Checked all the items in HijackThis log that you indicated.

    Opened APM and selected explorer. exe, but the BHO from the Hijack log was not there.

    Then I realized that the backups from Hijack were not on my desktop. The reason being, I guess, is that I do not understand what you mean by "move Hijackthis to a separate folder."

    So, I am in limbo until I hear from you. Bear with me. Thanks.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  13. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    It is a shame that I came this far but now am lost. I almost always used a download manager and saved everything I downloaded to my Desktop. When I use the IE file download I don't know how to open Windows Explorer.

    If the first part of the instructions were not in German, perhaps I could manage better. But I think that I have a lot of things screwed-up on my computer. I am going to have to go to help and find out what Windows Explorer is and how to make it appear.

    I will keep trying and keep you posted. Hope you don't lose interest.
     
  14. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    OK, I got it downloaded as a separate file listed C: Drive.

    Since I haven't done much surfing since running the log before, would it be OK to use the current log rather than posting a new log?
     
  15. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    Guess that I will have to give up. After doing above no backups appeared on my desktop before or after opening Hijackthis.

    Should I just fix the pertinent files that Hijack shows and skip the APM process (because I cannot make it show the BHO from Hijack) or what.

    Need your advice before I procede. I know you are busy and may have other priorities, but I will wait several days if necessary for your response.
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jerbear,

    Post a new HijackThis log and I'll give you new instructions.

    Regards,

    Pieter
     
  17. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    I ran Hijackthis at least 3 times and it deleted some of the entries but not all of them. The backups do appear in the Hijack folder but not on my desktop like you stated. When I use APM and click on explorer .exe the Hijack BHO does not appear (although I do not know exactly what to look for).

    I am posting a new Hijack log attachment.
     

    Attached Files:

  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    This is the one to look for:

    C:\WINDOWS\System32\eecd.dll

    Keep us posted,

    Pieter
     
  19. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    That file did not appear in the modules window of APM. I did a search for eecd.dll and it came up and I deleted it. (Previously it would not delete)

    Ran another Hijack scan and all the previous entries were gone. A new one named 02-BHO (no name) - - - - - - - - - - - - - - - - -eecd.dll (file missing) was there. (I left the numbers out of above entry)

    I assume that I can safely "fix" or delete this.

    I had taken several steps this morning to get my home page and search back and so far it has been OK. I have WinPatrol and Browser Hijack Blaster and so far they have been negative for infection of eecd.dll. Hope that I am finally clean.

    Just let me know if I can delete the above BHO in Hijack Blaster.

    Again, thanks for your outstanding help and guidance.
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Jerbear,

    (file missing) entries can always be deleted. They are indicating orphaned entries in the registry as you already suspected.
    Pointing at a file that has been deleted.

    Regards,

    Pieter
     
  21. Jerbear

    Jerbear Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    15
    Thanks, you are the greatest!
     
Thread Status:
Not open for further replies.