TechSpot

Help Please - HJT file ewido to follow

By psmith03
Jun 15, 2006
  1. I am so glad to have your guidance here!
    I have worked throughout the day to complete the steps I could read here.
    I've attached the HJT files - will reply with ewido file.
    Please advise & Thanks!
     
  2. psmith03

    psmith03 TS Rookie Topic Starter

    ewido file

    ewido file attached - thanks again!
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.


    First, go HERE and follow the instructions. Then, continue with the instructions below.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    026f6c61.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meloco.com/index.php?i=sm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\System32\adrotate.dll (file missing)

    O4 - HKLM\..\Run: [Hsmundaa] C:\Program Files\Uuej\Tcauc.exe

    O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate

    O4 - HKCU\..\Run: [026f6c61.exe] C:\Documents and Settings\jadlo\Local Settings\Application Data\026f6c61.exe

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    Fix all 015-Trusted zone entries.

    Fix all 016-DPF entries.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
    O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll

    O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
    C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
    C:\Documents and Settings\jadlo\Local Settings\Application Data\026f6c61.exe

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :wave: :wave:
     
  4. psmith03

    psmith03 TS Rookie Topic Starter

    fresh HJT log (as requested)

    Howard,
    I performed all the tasks listed that I was allowed to.

    attached is the fresh HJT log.

    Thanks AGAIN!
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Run HJT and click on the config button, then the misc tools button. Click the delete file on reboot button and browse to C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll. Click on the artm_new.dll file and click open. You will be prompted to reboot your computer, click yes.

    Once your computer has restarted do the following.

    Run HJT and click on the config button, then the misc tools button. Click the delete file on reboot button and browse to C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll. Click on the polymorph.dll file and click open. You will be prompted to reboot your computer, click yes.

    Once your computer has restarted do the following.

    Run HJT and click on the config button, then the misc tools button. Click the delete file on reboot button and browse to C:\Documents and Settings\jadlo\Local Settings\Application Data\026f6c61.exe. Click on the 026f6c61.exe file and click open. You will be prompted to reboot your computer, click yes.


    Once your computer has restarted do the following.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    026f6c61.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    R3 - Default URLSearchHook is missing

    O4 - HKCU\..\Run: [026f6c61.exe] C:\Documents and Settings\jadlo\Local Settings\Application Data\026f6c61.exe

    You must fix all 015 Trusted zone entries, no matter what they are.

    O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

    O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
    C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
    C:\Documents and Settings\jadlo\Local Settings\Application Data\026f6c61.exe


    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
     
  6. psmith03

    psmith03 TS Rookie Topic Starter

    fresh HJT log #3 (as requested)

    Howard,
    followed instructions & did everything I could.
    I noticed many things shown in the log are not showing in the safe mode log.
    That's good, right?

    attached is HJT log #3

    Thanks AGAIN for working thru this with me!
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The exact same entries I asked you to fix are still there, including the 015-Trusted zone entries.

    Why haven`t you fixed them?

    Do you have adiminstrator privilidges?

    If not, We`re wasting our time.

    You said earlier and I quote.
    Could you please explain, what you mean by allowed to?

    Regards Howard :)
     
  8. psmith03

    psmith03 TS Rookie Topic Starter

    addt'l info

    Sorry, I am a super super everyday computer user. Computer techie I am not. I have never looked at a file folder or a directory or anything else in my life. Fortunately, the instructions you have given have been easy to understand, but maybe I am not doing something right. Please try to be patient with me. I will try to go thru the steps I took and hope that helps?

    This past time:
    I ran HJT, browsed saw artm_new.dll & requested the delete file on reboot
    I ran HJT, browsed saw polymorph.dll & requested the delete file on reboot
    I ran HJT, browsed DID NOT see 026f6c61.exe

    booted into safe mode, logged in under the administrator user option
    turned off system restore, turned on show all files... hidden and system...
    opened task manager, 026f6c61.exe was not showing in processes
    closed task manager

    still in safe mode, Ran HJT
    in the logfile, the only files showing that you had listed to fix were:
    2 - 020 ones
    there were no R0, R3, 04, and no 015 files (I thought this was good)
    I clicked the fix button, closed HJT

    I tried to locate the 3 files /directories you mentioned (polymorph, artm, 026f6c61) they were not there

    I rebooted to normal mode, ran HJT & here I am...

    Thanks again for your patience.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, no problem.

    When you boot into safe mode, you should log in on your own account name and not the administrator account.

    Please post a fresh HJT log.

    Regards Howard :)
     
  10. psmith03

    psmith03 TS Rookie Topic Starter

    HJT file #4

    Howard,
    attached is the fresh and hopefully final HJT log.

    Once again, Thanks!
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well done. Your HJT is clean, except for one suspicious entry.

    O21 - SSODL: CDRecorder001 - {A3BC5E20-0235-1ABF-9CE1-00AA00512001} - C:\WINDOWS\System32\bjgish32.dll

    If you don`t recognise it, let HJT fix it. I can`t find any info on that .dll file.

    Regards Howard :)
     
  12. psmith03

    psmith03 TS Rookie Topic Starter

    Thank You!!!

    GOOD NEWS!!!
    Thanks sooooooooo much. This was a learning experience and I so appreciate your time, effort, and patience with me!!!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...