Thread: bad pop-ups and stuff
View Single Post
  #4  
Old 02-07-2005, 03:38 PM
Mobo's Avatar
Mobo Mobo is offline
Thinking outside the box
  
Join Date: Sep 2004
Location: Cape Breton
Posts: 4,587
Send a message via ICQ to Mobo Send a message via AIM to Mobo Send a message via MSN to Mobo Send a message via Yahoo to Mobo Send a message via Skype™ to Mobo
You may want to prnt or copy and save this to the desktop.

Lets now reboot into safe mode. then open hijack, insert a check next to the following. Then close all other open windows and click "fix checked"


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zcqlneadncmtzewumszxff.net/GCpE...va3fyOytqU.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.zfxiyjkxxdphuo.org/n2dhMAxBkH44...OAmT56pzII2.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\HBHOSTIE.DLL

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM303.DLL

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL

O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.5.0.0\HBHOSTIE.DLL

O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)



Then unregister these dll's


regsvr32 /u c:\windows\iopti130.dll
regsvr32 /u c:\windows\istbar.dll
regsvr32 /u c:\windows\nem207.dll
regsvr32 /u c:\windows\nem210.dll
regsvr32 /u c:\windows\nem214.dll
regsvr32 /u c:\windows\safesurfing.dll
regsvr32 /u c:\windows\ssurf022.dll
regsvr32 /u c:\windows\systemroot+\system\opti130.dll
regsvr32 /u c:\windows\systemroot+\system32\opti130.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.aa.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.j.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.k.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.q.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.r.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.t.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.w.dll
regsvr32 /u c:\windows\trojandownloader.win32.dyfuca.z.dll
regsvr32 /u c:\windows\wsem210.dll
regsvr32 /u c:\windows\wsem300.dll


Then remove these via regedit:
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\moduleusage\c:/windows/downloaded program files/unidist.ocx
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shareddlls\c:\windows\downloaded program files\muldist.ocx
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shareddlls\c:\windows\downloaded program files\unidist.ocx
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\uninstall\internet optimizer active alert
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\uninstall\internet optimizer software installer
HKEY_CLASSES_ROOT\interface\{ca7ccb52-6922-47e5-b784-3a3f82c51863}
HKEY_CLASSES_ROOT\interface\{f332d106-2ef3-45c4-baf2-0f739d76b26a}
HKEY_CLASSES_ROOT\multidist.multidistctrl.1
HKEY_CLASSES_ROOT\software\microsoft\windows\curre ntversion\explorer\browser helper objects\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4}
HKEY_CLASSES_ROOT\software\microsoft\windows\curre ntversion\explorer\browser helper objects\{f7f808f0-6f7d-442c-93e3-4a4827c2e4c8}
HKEY_CLASSES_ROOT\typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc}
HKEY_CLASSES_ROOT\typelib\{11b6f65d-7b8d-43cb-9aae-17234a1db33a}


Reboot, rescan and post a fresh hijack log..