Jump to content


Photo

I've tried everything!!


  • Please log in to reply
1 reply to this topic

#1 ZupzGee

ZupzGee

    Member

  • New Member
  • Pip
  • 1 posts

Posted 08 July 2004 - 02:55 AM

Hello, i've been trying to remove the infamous CWS crap off my WinXP (NFTS) computer for the past 4 hours now and i've almost completely given up. i have no clue what to do next... i'm thinking i might have to reformat (noooo).

the only annoying thing that is happening to me now is my browser takes me to that infamous page (s1di.d8t.biz/index.php?aid=20038) whenever i mistype a web address. that's all. my browser doesnt even show that blank page on load (it loads my homepage fine).

this is my biggest problem because i already think i've taken care of that nasty file problem. no more .dlls or obvious spyware files are popping up after hours of using ad-aware, spybot, cwshredder, & hijackthis.

i've tried so many different combinations and methods of cleaning my pc like shutting off system restore, deleting my hosts files and my user temporary files, going into safe mode, clearing all internet files, etc. nothing will stop my browser from taking me to that damn page if i type the wrong address, so what do i do? somene please help, i feel like i'm just one step away from solving this but i have no idea where to go from here.

here's my hijackthis log file:

Logfile of HijackThis v1.97.7
Scan saved at 2:48:14 AM, on 7/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Documents and Settings\Admin\My Documents\Tools\Tclock\tclock2.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Admin\My Documents\Tools\GtfoIRC\mirc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\America Online 5.0\waol.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Admin\Desktop\New Folder\HijackThis.exe
C:\WINDOWS\System32\dwwin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: TClock.lnk = C:\Documents and Settings\Admin\My Documents\Tools\Tclock\tclock2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run WinHTTrack (HKLM)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

as you can see not much is running on there and i don't suspect a single file on the list. i also tried looking into my registry and although it's tough to know where to look exactly, i found nothing suspicious in the run/runservices threads or elsewhere.

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 31 August 2004 - 12:33 PM

Due to the time passed and the fact that you are running an older version ...
  • HijackThis ...
    • Double click on "My Computer" to open it.
    • Double click on the local "C-Drive" to open it.
    • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
    • Please download HijackThis from any of the following locations:
    • spywareinfo.com
    • subratam.org
    • tools.zerosrealm.com
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis, click on scan and wait for the scan to finish.
  • The "Scan" button will change to "Save Log", click on it and simply press "Save" on the window that will appear.
  • Notepad will open with a copy of the log.
    • Click on "Edit" => "Select All".
    • Click on "Edit" => "Copy". This will copy the contents of the Notepad instance to the clipboard.
  • Please post your entire log here for analysis.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button