TechSpot

HijackThis log, help needed.

By vnf4ultra
Jan 25, 2007
Topic Status:
Not open for further replies.
  1. Hello all, I'm trying to clean off a computer that is having a problem with ie7 not going to any websites. I believe it's been hijacked. Firefox however still works.
    I've removed any entries in HJT that are obvious to me, but I'm sure I missed a few, as it still isn't working. I removed some entries that were host file hijacks.
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    McAfee

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    DELDIR0.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - SOFTWARE - (no file)

    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

    O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html

    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html

    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab

    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC46B1AA-121D-4668-A435-53420A9BA027}: NameServer = 64.136.173.8 64.136.164.66<Only fix this is it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE
    C:\Program Files\McAfee<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of vnf4ultra only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. vnf4ultra

    vnf4ultra TechSpot Paladin Topic Starter Posts: 2,195

    Thanks Howard.

    Should the localnet express entries be removed? Localnet express is the isp that's being used, and it's accelerated dialup(so it uses a proxy).
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    If you know that the localnet express entries are safe, then leave them alone.

    Regards Howard :)

    This thread is for the use of vnf4ultra only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.