• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
ShadowLady

HKey/MySearch hijack - MERGED 3

5 posts in this topic

Hi, I am relatively new to the world of PCs however am quickly learning!!

My PC runs with Windows ME.

I read your article on searching for possible hijackers - after running a search I have found I have HKey in my register - however after looking in the 2 control panel folders and many sub folders could not locate - inetcpl.cpl - that I need to delete.

 

I am not confidate enough to delete anything without a guiding hand as my first pc was crashed by a trojan, I did not know existed until too late

 

Also too I use Australian Yahoo - I managed (Ithink) to get rid of Yahoo Companion but now when I start up Yahoo I am getting a toolbar for Mysearchnow.com and my address bar at the top says - MySearchNow.compassthroughIndex/Yahoo.com - once a yahoo sign in page comes up (not my homepage I had set) I also get popups.

 

I run Adaware 6.0 version several times a night now and also go into the Cookie folder and delete stuff from there too (except a Index file - which I cannot delete as it tells me its a Source File and is in use) unsure what that means either!

 

Sorry to be a pain in the butt - however I read your info site - the best i have found! and would appreciate anybodys ideas or suggestions.

 

With Thanks in advance,

ShadowLady

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:43:45 PM, on 24/05/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\PERSONAL FIREWALL\PERSFW.EXE

C:\PROGRAM FILES\AVG6\AVGSERV9.EXE

C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\GTWATCH.EXE

C:\PROGRAM FILES\AVG6\AVGCC32.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\TEMP\T7S5.EXE

C:\WINDOWS\TEMP\NIO.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BigPond

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {29F3EE9D-0026-F2EB-F93C-5889DDDCDA1C} - C:\PROGRAM FILES\BLAH SHIM\COOL CAMP.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O3 - Toolbar: Rule 2 Pop - {DC68A913-6DDE-0BEF-42AA-3B560B8C1B66} - C:\PROGRAM FILES\BLAH SHIM\COOL CAMP.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O7 "EPUSB1:" /M "Stylus C43"

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [T7S5] C:\WINDOWS\TEMP\T7S5.EXE

O4 - HKLM\..\Run: [NIO] C:\WINDOWS\TEMP\NIO.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Personal Firewall\persfw.exe" /hide

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"

O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab

O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab

O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab

O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab

O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandr...uncherSetup.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8110.7593171296

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au

O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au

 

Thanks for any help in advance!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:43:45 PM, on 24/05/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\PERSONAL FIREWALL\PERSFW.EXE

C:\PROGRAM FILES\AVG6\AVGSERV9.EXE

C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\GTWATCH.EXE

C:\PROGRAM FILES\AVG6\AVGCC32.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\TEMP\T7S5.EXE

C:\WINDOWS\TEMP\NIO.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\SYSTEM\WINOA386.MOD

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BigPond

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {29F3EE9D-0026-F2EB-F93C-5889DDDCDA1C} - C:\PROGRAM FILES\BLAH SHIM\COOL CAMP.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O3 - Toolbar: Rule 2 Pop - {DC68A913-6DDE-0BEF-42AA-3B560B8C1B66} - C:\PROGRAM FILES\BLAH SHIM\COOL CAMP.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O7 "EPUSB1:" /M "Stylus C43"

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [T7S5] C:\WINDOWS\TEMP\T7S5.EXE

O4 - HKLM\..\Run: [NIO] C:\WINDOWS\TEMP\NIO.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Personal Firewall\persfw.exe" /hide

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"

O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab

O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab

O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab

O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab

O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandr...uncherSetup.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8110.7593171296

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab

O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au

O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au

 

Thanks for any help in advance!

Share this post


Link to post
Share on other sites

Hi ShadowLady

 

Forum we are in chat on this :)

 

Familiarize yourself with how to start in safe mode and how to show hidden files and folders, if you dont already know how to, links below.

 

Start Hijackthis and place a check next to these items

Close all browser windows and shut down all other programs(even Folders)

that show in the taskbar. Then Hit fix selected

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {29F3EE9D-0026-F2EB-F93C-5889DDDCDA1C} - C:\PROGRAM FILES\BLAH SHIM\COOL CAMP.DLL

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O3 - Toolbar: Rule 2 Pop - {DC68A913-6DDE-0BEF-42AA-3B560B8C1B66} - C:\PROGRAM FILES\BLAH SHIM\COOL CAMP.DLL

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O3 - Toolbar: Rule 2 Pop - {DC68A913-6DDE-0BEF-42AA-3B560B8C1B66} - C:\PROGRAM FILES\BLAH SHIM\COOL CAMP.DLL

 

O4 - HKLM\..\Run: [T7S5] C:\WINDOWS\TEMP\T7S5.EXE

O4 - HKLM\..\Run: [NIO] C:\WINDOWS\TEMP\NIO.EXE

O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE

O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

========

In control panel addremove programs find and uninstall Messenger Plus!

It contains lop a parisite

http://www.spywareinfo.com/newsletter/arch...june-2003/3.php

 

Reboot/restart the PC preferably into safe mode

http://support.microsoft.com/default.aspx?...kb;EN-US;180902

set windows to show all hidden files and folders

How to Show hidden files and folders.

 

and delete these folders (if still there)

C:\Program Files\Messenger Plus! 2

C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH

C:\PROGRAM FILES\BLAH SHIM

 

Important Next delete the contents of all your temp folders, as in.

the contents of the C:\windows\temp folder and C:\temp if there

And Clear IE's cache via control panel internet options [delete files] button and mark the popup to also delete offline content

 

Reboot back to a normal windows session,

then make and post a new Log

Share this post


Link to post
Share on other sites

ShadowLady - threads merged to here. Stick to just this one please.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0