Logs below! HJT LOG: Logfile of HijackThis v1.99.1 Scan saved at 3:05:27 PM, on 1/6/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\gld.exe C:\WINDOWS\System32\gld.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 7 for hijackthis_199.zip\HijackThis.exe C:\WINDOWS\regedit.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*htt... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*ht... R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\gld.exe O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file) O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/... O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe end of log windelf log: ************************ * WIN32DELFKIL LOGFILE * ************************ BEFORE RUNNING WIN32DELFKIL *************************** File(s) found in Windows directory ---------------------------------- alt.exe File(s) found in system32 folder -------------------------------- browsela.dll SharedTaskScheduler key ----------------------- SteelWerX Registry Console Tool 1.0 Written by Bobbi Flekman © 2005 HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui Notify key ---------- subkey browsela is present!
Your log shows :- O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\[bold]browsela.dll[/bold] You have to get this off your PC ! That is a leftover from EWIDO... ! Get the FREE Pocket Killbox here:- http://www.bleepingcomputer.com/files/killbox.php Start it up.. and open C:\WINDOWS\system32\browsela.dll -- click and hold browsela.dll then slide it in the window of the KillBox Tick Delete at next REBOOT --- Ok then Reboot your Pc.. the critter will be gone. Reset your homepage to wherever it was before.
I'm getting a blue screen on a normal boot up because it says windows can't find C:\windows\inet2001\winlogon.exe Any ideas?
Kill box is saying pendingfilerename operations registry data removed by an external process. What does this mean?
It means that file already deleted or something. That windelf log isn't complete. Send it again. Also, fix these lines: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*htt... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*ht... F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\gld.exe O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file) O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe And delete these also with eg. Killbox same way as Jeanc1 already told you: C:\WINDOWS\System32\gld.exe C:\WINDOWS\alt.exe