Tech Support Guy banner
Status
Not open for further replies.
1 - 20 of 48 Posts

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #1 ·
Can anyone tell me what ocat yellow pages is? this programs seems to take over my friends computer here at home. Can anyone Please tell me what this is and how he can get rid of it ASAP?
 

·
Retired Moderator
Joined
·
84,301 Posts
I think that might be a toolbar.

Have them do this for starters:

Download Ad-Aware SE: http://www.lavasoftusa.com/support/download/

Install and run it. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

Restart the computer.

SpyBot Search & Destroy: http://majorgeeks.com/download2471.html

Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

Restart again.

Get Hijack This: http://www.majorgeeks.com/download3155.html
Make sure it's downloaded to a permanent folder of his creation on the hard drive.
Launch it. Hit Scan, then Save Log
Open the log file it saved
Copy and paste the log into this thread

Do not attempt to fix anything yet
Someone will analyze the log
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #3 ·
All righty then,lol I printed this off for him, I had him, download ad-aware before I posted this, he got rid of a lot of junk that way. He is somewhat a stuborn person,lol, but I think he will follow your instructions. lol I will post back when he is done.Thank you.
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #5 ·
*sigh* On the hijack download, he said he don't like to share, files etc that are on his computer. I don't see it this way, but then again, I do somewhat know more about this stuff than he does,lol He don't know anything about these programs, and actually never heard of them until I told him about them. So if he wants to get it fixed, I guess he will listen huh?lol
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #7 ·
lol Thanks, he is running the spybot now.
He also downloaded hijack and has a log.
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #8 ·
Logfile of HijackThis v1.99.0
Scan saved at 1:10:14 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Netropa\OSD.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Max\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0002_ho
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasearch.com/?said=acc0002_ho
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: HyperSearchHook - {6C58EE8C-FA60-45A7-B062-898787AB1A01} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage.dll
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - C:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6CD2B27A-AA41-8872-B3E7-D9C265CC90C8} - C:\DOCUME~1\Max\APPLIC~1\Findcoal\BOOB JUNK.exe
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Close meal hope name] C:\Documents and Settings\All Users\Application Data\Nurbinternetclosemeal\curb pile.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Amentwo] C:\DOCUME~1\Max\APPLIC~1\ACTIVE~2\SCRANTIACE.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://img.rn11.com/ssoap/pptproactauthmirror/systemsoappro.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #9 ·
He has a Dell computer
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #11 ·
Yep, I saw that, NewNet is a bad thing, I had some on mine too, I got rid of. He did some Fixes with hijack, then , ran his spybot, now running ad-aware, I checked out the majorgeeks sight, and found where you can copy, your hijack log, in it, to antylize the hijack results, and it tells you the results of what to fix, wow thats to cool. But at least he is listening, and I am learning some things myself today. Thank you so much. He has found even more junk with ad-aware now. lol some how this don't surprise me. :p
 

·
Retired Moderator
Joined
·
84,301 Posts
It doesn't surprise me either.

Make sure he uninstalls Warez P2P Client.

P2P programs leave your system very vulnerable to infection.

Will the new log be posted when he's done scanning? :)
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #13 ·
Not really sure, if he will run hijack again today,lol he's getting wore out all ready,from running all these new programs. he never knew exsisted.
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #15 ·
He's running hijack now
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #17 ·
Logfile of HijackThis v1.99.0
Scan saved at 6:41:35 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: HyperSearchHook - {6C58EE8C-FA60-45A7-B062-898787AB1A01} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Close meal hope name] C:\Documents and Settings\All Users\Application Data\Nurbinternetclosemeal\curb pile.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [Amentwo] C:\DOCUME~1\Max\APPLIC~1\ACTIVE~2\SCRANTIACE.exe
O4 - Startup: DLHelperEXE.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://img.rn11.com/ssoap/pptproactauthmirror/systemsoappro.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
 

·
Administrator
Joined
·
123,559 Posts
Well, I've got another program for him to download. He has a lop.com infection and needs to run the removal tool:

Lop remover tool: http://www.thespykiller.co.uk/files/lopremover.exe

Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: HyperSearchHook - {6C58EE8C-FA60-45A7-B062-898787AB1A01} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll

O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage.dll

O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks.dll

O4 - HKLM\..\Run: [Close meal hope name] C:\Documents and Settings\All Users\Application Data\Nurbinternetclosemeal\curb pile.exe

O4 - HKCU\..\Run: [Amentwo] C:\DOCUME~1\Max\APPLIC~1\ACTIVE~2\SCRANTIACE.exe

O4 - Startup: DLHelperEXE.exe

O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/...erInstaller.exe

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://img.rn11.com/ssoap/pptproact...stemsoappro.cab


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\Program Files\Common Files\Hyperbar - folder
C:\Program Files\STHomePage - folder
C:\Program Files\STLinks - folder
C:\Documents and Settings\All Users\Application Data\Nurbinternetclosemeal - folder
C:\DOCUME~1\Max\APPLIC~1\ACTIVE~2 - folder (the name will start with these six letters)
DLHelperEXE.exe - file

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Reboot and post another log please.
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #19 ·
Thank you Cookie, He was off work yesterday, we spent the entire day, working on his computer, wow what a day, He had been having a lot of problems with his computer, so I had him download ad-aware, he got rid of tons of things there, then he ran his spybot, then I turned to TSG, Cheese had him download hijack, and wow what a mess hijack found. Cheese was a lot of help, we worked on that for hours, No wander, his computer was having so many problems, But anyway, he won't be back until late tonight, from work, so we will start back on this, this weekend, and I will post another hijack log, once he has done, what you said to do above. Thank you, for your help. He has never ran any of these programs on his computer before, so just maybe, we can get it back to running well again. And maybe he will learn from this experiance. I will post back, once he has done what you said to do above, and he has ran hijack again. Thank you again.
 

·
Registered
Joined
·
1,505 Posts
Discussion Starter · #20 ·
http://www.thespykiller.co.uk/files/lopremover.exe I downloaded this program so I would be familiar with it,and see if maybe I have a lop.com infection also. I downloaded it, and clicked on run, and I get this pop up that says uninstall verification, and your suppose to type in the numbers you see. and it is an uninstall, I do not understand this at all.{confused} I install it, then when I try to run it, it says uninstall. This makes no sense to me. waiting for a reply, with this on my screen.
 
1 - 20 of 48 Posts
Status
Not open for further replies.
Top