PPRuNe Forums - View Single Post - Health check for a friend's laptop
Thread: Health check for a friend's laptop
View Single Post
Old 4th February 2005 | 17:52
  #4 (permalink)  
E-Liam
 
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi RC,

I was indeed lurking, as Deep C alluded.. :D I was writing War and Peace on another thread.. :D:D

Just to let you know I'm checking it now.

Cheers

Liam

Hi RC,

First a note. Bearshare is bundled with Spy/Adware. I\'ve recommended deletion in the following . If you want an alternative, then please read here.

Please go here and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

Then you need to place Hijack This in it’s own folder (e.g. C:\\HJT\\….) so it can generate backup files to the same folder; needed should an entry be accidentally deleted. Then please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven\'t missed any. Next, close all browser windows and click the Fix checked button…

R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = about :blank

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = about :blank

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\\WINNT\\bxxs5.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\01.02.0001.1004\\en-gb\\msntb.dll (file missing)

O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\\WINNT\\dealhlpr.dll

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\\WINNT\\dealhlpr.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\\Program Files\\MSN Apps\\MSN Toolbar\\01.02.0001.1004\\en-gb\\msntb.dll (file missing)

O4 - HKLM\\..\\Run: [Explkw] C:\\WINNT\\System32\\expup.exe

O4 - HKLM\\..\\Run: [DealHelperUpdate] C:\\WINNT\\DHUpdt.exe

O4 - HKLM\\..\\Run: [DealHelperBrwsr] C:\\WINNT\\dhbrwsr.exe

O4 - HKLM\\..\\Run: [stcinstaller] c:\\installer\\id53.exe

O4 - HKLM\\..\\Run: [bxxs5] RunDLL32.EXE C:\\WINNT\\bxxs5.dll,DllRun

O4 - HKLM\\..\\Run: [MessengerPlus3] "C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe"

O4 - HKLM\\..\\Run: [P2P Networking] C:\\WINNT\\System32\\P2P Networking\\P2P Networking.exe /AUTOSTART

O4 - HKLM\\..\\Run: [Windows AdControl] C:\\Program Files\\Windows AdControl\\WinAdCtl.exe

O4 - HKLM\\..\\Run: [BearShare] "C:\\Program Files\\BearShare\\BearShare.exe" /pause

O4 - HKCU\\..\\Run: [ClockSync] C:\\PROGRA~1\\CLOCKS~1\\Sync.exe /q

O4 - HKCU\\..\\Run: [msmc] C:\\WINNT\\system32\\msmc.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b3444
2a0

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1025976.exe

O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\\WINNT\\System32\\msdhmd.dll

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\\Windows\\Temp (or C:\\WINNT\\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...

C:\\WINNT\\bxxs5.dll

C:\\WINNT\\dealhlpr.dll

C:\\WINNT\\System32\\expup.exe

C:\\WINNT\\DHUpdt.exe

C:\\WINNT\\dhbrwsr.exe

C:\\WINNT\\dhsvr.exe

c:\\installer\\id53.exe

C:\\WINNT\\system32\\msmc.exe

C:\\WINNT\\System32\\msdhmd.dll

..and these folders...

C:\\WINNT\\System32\\P2P Networking

C:\\Program Files\\Windows AdControl

C:\\Program Files\\BearShare

C:\\PROGRA~1\\CLOCKS~1

Then please boot back into normal mode and download AdAware SE from here.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file

· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed

3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information

4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose:
· Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Next, please reboot again and download Spybot - Search & Destroy 1.3 from here: if you haven\'t already got the program.

Click on Updates | Download Updates, and follow the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.

Next, download and run CCleaner. If you have certain cookies you want to retain, then click on the Options button before running, and move across the ones that you want to keep...

Cheers

Liam

EDIT: Apologies, I forgot to disable smilies before posting, hence all the \\. Too many to remove on edit.. :ok: :)
Last edited by E-Liam; 4th February 2005 at 18:29.
E-Liam is offline