• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
catwilliams

Please help - I've been taken hostage

7 posts in this topic

I have scanned with updated Spybot and Ad-aware. As well a complete virus scan. They have not removed whatever has taken over my Internet. Actually Spybot keeps saying cannot fix all I need to reboot and run Spybot again on boot up. I've done this many times.

 

I've lost my home page - countless Popups, had a real difficult time reaching your sites - it sure didn't want me to download Hijack This.

 

I've run Hijack This and have posted the log file below. Please help me - reading it is like a foreign language. Thank you for any help you can offer.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:28:09 PM, on 19/07/2004

Platform: Windows 2000 SP2 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\system32\regsvc.exe

C:\WINDOWS\system32\MSTask.exe

C:\WINDOWS\system32\stisvc.exe

C:\WINDOWS\System32\WFXSVC.EXE

C:\WINDOWS\System32\WBEM\WinMgmt.exe

C:\Program Files\Symantec\WinFax\WFXMOD32.EXE

C:\WINDOWS\System32\mspmspsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\mcafee.com\VSO\mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wfxsnt40.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\KMaestro\KMaestro.exe

C:\Program Files\Messenger Plus! 3\MsgPlus.exe

C:\PROGRA~1\softwarepeakaim\DefyStupid.exe

C:\WINDOWS\system32\internat.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\cathy\Desktop\Maintenance\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogershispeed.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www.hispeed.rogers.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {4419F7BF-4C3E-DCE0-EF16-2C36636E43D1} - C:\PROGRA~1\HOLEFI~1\City Wma.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: safemove - {B8916132-F04A-A89D-865B-3B7183A0029E} - C:\PROGRA~1\HOLEFI~1\City Wma.dll

O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [btcMaestro] C:\Program Files\KMaestro\KMaestro.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [EQBAIT] C:\PROGRA~1\softwarepeakaim\DefyStupid.exe

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background

O4 - HKCU\..\Run: [RHSI Update Manager] "C:\Program Files\Rogers Hi-Speed Internet\RHSI Update Manager\RHSIUpdateManager.exe" /background

O9 - Extra button: Real.com (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.gov.pe.ca/mapguide/viewers/mgaxctrl.cab

O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communities.msn.com/controls/chat/msnchat42.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7845.6439351852

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab

O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...360/mcfscan.cab

O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/contr...ate/sdkinst.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

Share this post


Link to post
Share on other sites

I should mention, I've been trying without any success to download the Hijack This 1.98 - whatever has control of my browser will either not let me get to the page where the download is or I'll get to the page and click to download and it takes me somewhere else - the log I supplied with my first post was generated using HJ 1.97

Share this post


Link to post
Share on other sites

Please don't ask it more than once a day, there are lots of people with logs from 3,4 days old who aren't yet analyzed. So be Patient please.

Share this post


Link to post
Share on other sites

Using Hijack This, you should fix following:

Be sure to close all browsers before fixing

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {4419F7BF-4C3E-DCE0-EF16-2C36636E43D1} - C:\PROGRA~1\HOLEFI~1\City Wma.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: safemove - {B8916132-F04A-A89D-865B-3B7183A0029E} - C:\PROGRA~1\HOLEFI~1\City Wma.dll

O3 - Toolbar: (no name) - {4DF5B116-4FD9-4039-B377-1130953A980F} - (no file)

O4 - HKCU\..\Run: [internat.exe] internat.exe

 

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = cibcmortgages.com,firstline.com

 

After reboot , delete following

C:\WINDOWS\system32\internat.exe

Share this post


Link to post
Share on other sites

:alarm: SJeesj, i wouldn't fix :alarm:

 

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

O4 - HKCU\..\Run: [internat.exe] internat.exe

 

Those are absolutely normal entries

 

For Internat.exe: http://www.liutilities.com/products/wintas...brary/internat/

Edited by H@ns

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0