• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
cleanup

my home page changed

11 posts in this topic

closed all windows and ran cwshredder. thought all was fine. spybot doesn't find cwcoolsearch anymore. but something is still uninstalling the browser helper guard that the new spybot has and trying to change my home page to solongas.com

 

i looked on a website that specialized on the coolsearch hijack and it said that solongas.com was one of the websites that it tries to direct people to. a pop up ad keeps coming up telling me that i have spyware. tell me something i don't know!

 

here's the most recent hijackthis list:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:30:57 PM, on 7/24/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Smtray.exe

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program Files\Microsoft Works\WksSb.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\csuptfn.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program Files\Norton Internet Security\IAMAPP.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Documents and Settings\Preferred Customer\Application Data\amee.exe

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\WINDOWS\System32\ydefmhbu.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Norton Internet Security\SymProxySvc.exe

C:\Program Files\Norton Internet Security\NISSERV.EXE

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Preferred Customer\Local Settings\Temporary Internet Files\Content.IE5\4X0XAJW1\HijackThis[1].exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.closecall.net/index-ie.asp

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CCAOL

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>;*windowsupdate.com;download.microsoft.com;*windowsupdate.microsoft.com;codecs.microsoft.com;activex.microsoft.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\4yyuvvw8bu68.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [pnsnwzorut] C:\WINDOWS\System32\csuptfn.exe

O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [qzihkpiz] C:\WINDOWS\qzihkpiz.exe

O4 - HKLM\..\Run: [khen] C:\WINDOWS\khen.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Preferred Customer\Application Data\amee.exe

O4 - HKCU\..\Run: [Vxwqpfg] C:\WINDOWS\System32\ydefmhbu.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: CloseCall 5X Accelerator.lnk = C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: SmartUI.lnk = ?

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: SideFind (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O9 - Extra button: Support (HKCU)

O10 - Unknown file in Winsock LSP: c:\progra~1\closec~1\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\closec~1\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\closec~1\sliplsp.dll

O10 - Unknown file in Winsock LSP: c:\progra~1\closec~1\sliplsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11edaa929534aae9b605/...ip/RdxIE601.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7994.6530787037

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3E3F84A6-29E6-4BE4-8644-F6AD4D8B551C}: NameServer = 209.244.0.3 209.244.0.4

O17 - HKLM\System\CS1\Services\Tcpip\..\{3E3F84A6-29E6-4BE4-8644-F6AD4D8B551C}: NameServer = 209.244.0.3 209.244.0.4

 

and here's what cwshredder had found:

 

Shredder

 

CWShredder v1.59.1 scan only report

Please understand that a CWShredder 'Scan only' report

might not be sufficient to troubleshoot an infected system.

You can use HijackThis for that:

http://www.merijn.org/files/hijackthis.zip

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

 

Windows XP (5.01.2600 )

Windows dir: C:\WINDOWS

Windows system dir: C:\WINDOWS\System32

AppData folder: C:\Documents and Settings\Preferred Customer\Application Data

Username: Preferred Customer

 

Found Hosts file: C:\WINDOWS\System32\drivers\etc\hosts (21 bytes, A)

CWS.Hputi Registry value: HKCU\..\Run [jopa] C:\WINDOWS\System32\sysstartup.exe

Shell Registry value: HKLM\..\WinLogon [shell] Explorer.exe

UserInit Registry value: HKLM\..\WinLogon [userInit] C:\WINDOWS\system32\userinit.exe,

Found CWS.Smartsearch.2 file: c:\y.exe (0 bytes, RHS, running)

Found CWS.Smartsearch.2 file: c:\x.exe (0 bytes, RHS)

Found CWS.Winproc32 file: C:\WINDOWS\System32\winproc32.exe (0 bytes, RHS)

Found CWS.IEengine file: C:\Program Files\Internet Explorer\IEengine.exe (0 bytes, RHS)

Found CWS.IEengine file: C:\WINDOWS\dllhelp.exe (0 bytes, RHS)

Found CWS.IEengine file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe (0 bytes, RHS)

Found Win.ini file: C:\WINDOWS\win.ini (1010 bytes, A)

Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

 

- END OF REPORT -

 

please help. thanks.

Edited by cleanup

Share this post


Link to post
Share on other sites

Hi there,

 

Please do this first;

 

You are running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar) like this C:\My Documents\hjt\HijackThis. Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create the backup files that you may need whilst it is being run from a temporary folder.

 

Next;

 

Update HijackThis to version 1.98

• run HijackThis

select config> misc tools and select "update online". then yes.

Run a scan and post a new Hijackthis log after you are done.

Share this post


Link to post
Share on other sites

Thanks for your email. I really appreciate you working with me. I ran hijackthis from a new folder.

Here's the new log info:

 

Logfile of HijackThis v1.98.0

Scan saved at 8:07:36 AM, on 7/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Smtray.exe

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program Files\Microsoft Works\WksSb.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\csuptfn.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Documents and Settings\Preferred Customer\Application Data\amee.exe

C:\WINDOWS\System32\ydefmhbu.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Norton Internet Security\SymProxySvc.exe

C:\Program Files\Norton Internet Security\NISSERV.EXE

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Norton Internet Security\IAMAPP.EXE

C:\Program Files\Norton AntiVirus\navapw32.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security\ATRACK.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Preferred Customer\Local Settings\Temp\Temporary Directory 1 for hijackthis2.zip\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CCAOL

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\4yyuvvw8bu68.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [pnsnwzorut] C:\WINDOWS\System32\csuptfn.exe

O4 - HKLM\..\Run: [qzihkpiz] C:\WINDOWS\qzihkpiz.exe

O4 - HKLM\..\Run: [khen] C:\WINDOWS\khen.exe

O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Preferred Customer\Application Data\amee.exe

O4 - HKCU\..\Run: [Vxwqpfg] C:\WINDOWS\System32\ydefmhbu.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: CloseCall 5X Accelerator.lnk = C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: SmartUI.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Support - {B7A1E5E8-AD47-4358-8357-F9AD2176620C} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11edaa929534aae9b605/...ip/RdxIE601.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3E3F84A6-29E6-4BE4-8644-F6AD4D8B551C}: NameServer = 209.244.0.3 209.244.0.4

O17 - HKLM\System\CS1\Services\Tcpip\..\{3E3F84A6-29E6-4BE4-8644-F6AD4D8B551C}: NameServer = 209.244.0.3 209.244.0.4

Share this post


Link to post
Share on other sites

Hi there,

 

Please do this first;

 

I suggest you proceed as follows:

Download the latest version of CWShredder Here by Merijn Bellekom, the creator of Hijack This. Check for updates!!

Run it, press 'Fix', and allow it to fix all it finds.

Next;

 

 

 

You are still running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar) like this C:\My Documents\hjt\HijackThis. Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create the backup files that you may need whilst it is being run from a temporary folder.

 

When you have done this, then make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';

 

NOTE THE OPTIONAL FIXES, I RECOMMEND FIXING THEM

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

 

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\4yyuvvw8bu68.dll

 

 

O4 - HKLM\..\Run: [pnsnwzorut] C:\WINDOWS\System32\csuptfn.exe

O4 - HKLM\..\Run: [qzihkpiz] C:\WINDOWS\qzihkpiz.exe

O4 - HKLM\..\Run: [khen] C:\WINDOWS\khen.exe

 

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\Preferred Customer\Application Data\amee.exe

O4 - HKCU\..\Run: [Vxwqpfg] C:\WINDOWS\System32\ydefmhbu.exe

 

O4 - Global Startup: CloseCall 5X Accelerator.lnk = C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe<<<<If you know of this keep it, if not fix it.

 

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE<<<<These items are considered to be resource hogs that are not needed and it may be worthwhile to fix them with HJT. You will still be able to start them manually if you need them...

 

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

 

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/11edaa929534aae9b605/...ip/RdxIE601.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

 

Restart your computer in

Safe Mode Also make sure you show hidden and system files Then delete the following files or folders as indicated below if they still show:

 

Not all or any of these may still show,

 

 

 

C:\WINDOWS\System32\csuptfn.exe<<<<File

C:\Documents and Settings\Preferred Customer\Application Data\amee.exe<<<<File

C:\WINDOWS\System32\ydefmhbu.exe<<<<File

C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe<<<<Folder

C:\WINDOWS\System32\4yyuvvw8bu68.dll<<<<File

C:\WINDOWS\qzihkpiz.exe<<<<File

C:\WINDOWS\khen.exe<<<<File

C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe<<<<Folder

C:\Program Files\SideFind\sidefind.dll<<<<Folder

C:\WINDOWS\web\related.htm<<<<Folder

 

Reboot, then post a fresh logfile so that I can check to see if it is clean.

Share this post


Link to post
Share on other sites

Thanks for your instructions. I followed each of your steps. Here's the new logfile:

 

Logfile of HijackThis v1.98.0

Scan saved at 12:04:43 PM, on 7/25/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Smtray.exe

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program Files\Microsoft Works\WksSb.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Norton Internet Security\IAMAPP.EXE

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Norton Internet Security\SymProxySvc.exe

C:\Program Files\Norton Internet Security\NISSERV.EXE

C:\WINDOWS\System32\BRMFRSMG.EXE

C:\Program Files\Norton Internet Security\ATRACK.EXE

C:\hij\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = CCAOL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [Atari Launcher] C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Atari icon.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: CloseCall 5X Accelerator.lnk = C:\Program Files\CloseCall 5X Accelerator\close5xaccl.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: SmartUI.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Support - {B7A1E5E8-AD47-4358-8357-F9AD2176620C} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409

 

I had trouble with the CloseCall stuff. That's my provider. My computer kept saying that the files/folder were copyrighted and could not be deleted. When I opened IE, I got a blank screen. Also prompts came up from spybot saying that something wanted to restore original images. I kept denying it until the window stopped popping up. Also, been having trouble with shredder. can't check for updates. fetching comes up, but then something about the server must be busy and to try back later. again, thanks for your help.

Share this post


Link to post
Share on other sites

Hi there,

 

Quick one, Leave CloseCall if that is your provider, that is why I put a note beside it! If CWShredder is version 1.59.1 run it.

Share this post


Link to post
Share on other sites

Hi there,

 

 

Ok your log is clean now, DO NOT TOUCH CLOSECALL.

 

To provide future protection - I would advise you to download and install:

 

SpywareBlaster will block bad ActiveX and malevolent cookies. Download from Here

 

IE-SPYAD puts over 5000 sites in your restricted zone, if you use IE, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Download

Here

 

Both are very small free programs that you run once, and then just weekly to check for updates.

 

And also see

So how did I get infected in the first place?

Share this post


Link to post
Share on other sites

Thanks for all of your help. I'm glad to hear that the computer should be clean. I do have one last question, though. It might be a silly one, but what should I do with all of these files that I have in the recycle bin? There are 40 of them. As far as I know, it was empty before all this started.

Share this post


Link to post
Share on other sites

You are very welcome :wave:

 

Empty the recycle bin, making sure it is only files etc from the fix. If you wish you could copy the contents and paste them in to notepad and post it here for me to look at.

Share this post


Link to post
Share on other sites

hi again,

i don't think my computer's clean yet. after we were finished a :blank IE screen would pop-up and then disappear again. this would happen rather frequently. that 'restore original image' spybot window comes up frequently too. spybot doesn't report anything, but norton popsup now saying that trojan.horse is found in c:windows\676065 and that file cannot be repaired. on top of that some kind of slipscan keeps tring to acces the internet. what's more my computer is now freezing temporarily and it hasn't done that before. please advise. (i'll start a new thread if that's the protocol.)

Share this post


Link to post
Share on other sites

Hi there,

 

Please post a new log here.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0