• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
wordlife

help needed

2 posts in this topic

help is needed. my homepage is set to 0webearch.com and when i click on certain links it takes me to a porn site. i have tried to remove 0websearch.com from hijackthis but it keeps on poppin up again and again. can somebody help me.

thnx.

this is my save log from hijackthis:

 

Logfile of HijackThis v1.98.0

Scan saved at 11:09:22 PM, on 7/16/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\brss01a.exe

C:\PROGRA~1\INTERN~2\inetmgr.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\INTERN~2\inetsvc.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\program files\support.com\bin\tgcmd.exe

C:\WINDOWS\inetdata\services.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\bundle.exe

C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe

C:\Program Files\SBC\Connection Manager\CManager.exe

C:\PROGRA~1\NEOPLA~1\bin\np.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\WINDOWS\System32\dllcache\IExplore.exe

C:\Program Files\Winamp\winamp.exe

C:\WINDOWS\System32\hwllgq.exe

C:\Documents and Settings\Owner\Application Data\eber.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Owner\My Documents\Downloads\Software Downloads\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL (file missing)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

O2 - BHO: Browser - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sAHBundle] C:\DOCUME~1\Owner\LOCALS~1\Temp\bundle.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

O4 - HKLM\..\Run: [iyhqounzrgreh] C:\WINDOWS\System32\hwllgq.exe

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe

O4 - Startup: NeoPlanet.lnk = C:\Program Files\NeoPlanet\bin\Neo.exe

O4 - Global Startup: ZoneAlarm Plus.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zaplus.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Flyswat - {E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16} - C:\PROGRA~1\flyswat\Flylib.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: www.mt-download.com

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/MyFm01.cab

O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/507369.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{D38A0C5F-C919-4D8B-A302-5C04956DDE11}: NameServer = 64.164.99.50 206.13.30.12

Share this post


Link to post
Share on other sites

Hello wordlife,

 

Please download Spybot: Search and Destroy from http://www.safer-networking.org/index.php

Check for Updates first, download ALL Updates and Do a Scan.

When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

_ _ __ _ _

 

I'd Also Recommend you Download AdAware, Another good Antispyware Program From http://www.lavasoftusa.com/support/download/.

Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan.

 

Before you do a Scan, set up AdAware by clicking the gear wheel at the top and check these options:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

_ _ _ _ _ _ _

 

There appears to be some CoolWeb infection. Please download the latest version of CWShredder here:

http://www.spywareinfo.com/~merijn/files/CWShredder.exe or here: http://www.zerosrealm.com/downloads/CWShredder.zip

Run it, then click "Fix" (not Scan only) and let it fix all the variants it finds.

Then Reboot.

 

_ _ _ _ _ _ _ _

 

The click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

And if these are there, Remove them, then reboot.

 

'ShopAtHomeSelect Agent'

'Transponder' <----anything with that in the name

'CommonName'

'FavoriteMan/F1'

'FavoriteMan/ZZ '

 

_ _ _ _ _ _ _ _ _

 

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for this:

 

hwllgq.exe

 

Then close task manager.

 

_ _ _ _ _ _ _ _ _

 

 

Now open HijackThis, click Scan, then put a check next to the following entries:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

 

O2 - BHO: biObj Class - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

O2 - BHO: F1 Organizer Class - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\ATPART~1.DLL (file missing)

O2 - BHO: Browser - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

 

O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

O4 - HKLM\..\Run: [sAHBundle] C:\DOCUME~1\Owner\LOCALS~1\Temp\bundle.exe

O4 - HKLM\..\Run: [iyhqounzrgreh] C:\WINDOWS\System32\hwllgq.exe

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe

 

O15 - Trusted Zone: www.mt-download.com

 

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/MyFm01.cab

O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/507369.exe

 

Then Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

 

Now reboot to safe mode (tap F8 while restarting) and delete these files:

 

C:\WINDOWS\System32\hwllgq.exe

C:\WINDOWS\inetdata\services.exe

C:\Documents and Settings\Owner\Application Data\eber.exe

 

You may have to show hidden files:

 

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Then browse to the C:\documents and settings\<Your Profile> (repeat for all users)\local settings\temp folder and delete all files and folders in it.

Then browse to the C:\Windows\Temp folder and delete all files in it.

This will delete all your cached internet content including cookies

 

Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

 

Then, reboot normally.

 

Let's also see if you have a Look2Me infection.

A tool has been made by Option^Explicit and freeatlast to find and remove it.

 

Please download VX2Finder from this link, and save it to your Desktop.

 

http://downloads.subratam.org/VX2Finder(126).exe

 

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

 

Please copy and paste the contents of the log into your next reply here, along with a new HJT log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0