HijackThis log, help needed.

Status
Not open for further replies.
vnf4ultra

vnf4ultra

Posts: 1,360   +2
Hello all, I'm trying to clean off a computer that is having a problem with ie7 not going to any websites. I believe it's been hijacked. Firefox however still works.
I've removed any entries in HJT that are obvious to me, but I'm sure I missed a few, as it still isn't working. I removed some entries that were host file hijacks.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

McAfee

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

DELDIR0.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - SOFTWARE - (no file)

O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"

O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html

O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html

O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab

O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{FC46B1AA-121D-4668-A435-53420A9BA027}: NameServer = 64.136.173.8 64.136.164.66<Only fix this is it doesn`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\DOCUME~1\Owner\LOCALS~1\Temp\DELDIR0.EXE
C:\Program Files\McAfee<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of vnf4ultra only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks Howard.

Should the localnet express entries be removed? Localnet express is the isp that's being used, and it's accelerated dialup(so it uses a proxy).
 
If you know that the localnet express entries are safe, then leave them alone.

Regards Howard :)

This thread is for the use of vnf4ultra only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Disney executives want Bob Iger to buy EA or another large gaming company
Replies
16
Views
554
Bluescreendeath
B
Cal Jeffrey
Someone created a video game with nothing but AI tools ChatGPT, Dall-E, and Midjourney
Replies
15
Views
547
havok585
havok585
Cal Jeffrey
Bitwarden's password manager browser extension has a known exploit it hasn't addressed...
Replies
16
Views
902
anastrophe
anastrophe

Latest posts

Back