• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Challenge

CWS

15 posts in this topic

My homepage is highjacked by CWS url is ip addy. The worst thing is that my "My Comp" button and other windows functions don't respond.

 

I would really appreciate help with this. I have read the guides and followed instructions. I have tried following instructions from other threads ie. bjp3's that had similar sounding probs but nothing has worked.

 

I have tried ad-ware, spybot and cwshredder. I have gone into safe mode and deleted the dialler that came from the page re-direction and run the above again but to no avail.

Any help with this log or ideas would be appreciated.

 

 

Logfile of HijackThis v1.97.3

Scan saved at 20:21:38, on 31.05.04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM32\WINTIME.EXE

C:\WINDOWS\SYSTEM\EXPLORER.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

 

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE

O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [system Update] C:\WINDOWS\System\explorer.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Popup Eliminator (HKLM)

O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38137.672025463

Share this post


Link to post
Share on other sites

alright, i did a search and ive come to the conclusion that line

 

 

 

O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE

 

is your problem

Share this post


Link to post
Share on other sites

Many thanks for your help Ghost but I am afraid the problem remains. I have done a new log but I think I'll smash the thing anyway!! :techsupport: or is there a chance?!

 

Logfile of HijackThis v1.97.3

Scan saved at 21:42:07, on 31.05.04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKCU\..\Run: [system Update] C:\WINDOWS\System\explorer.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Popup Eliminator (HKLM)

O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38137.672025463

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab

Share this post


Link to post
Share on other sites

This is a fix that was worked out by some of our experts and we can see if it will work here. Post back with an update and fresh HJT log after you run it. If it works, we still have some more cleanup to do:

Please copy the contents of the quote box to notepad:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"System"=-

[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]

[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]

[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

Hit save as and give it the name clear.reg under the filename set file types to all files. Save it to the desktop. After you have completed that, double click the clear.reg file and when asked to merge say "Yes" and reboot.

 

Find this file system32.dll which is probably in either:

  • c:\windows\system32\system32.dll
  • c:\windows\system\system32.dll

... and delete it.

 

Then fix these with hijackthis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php

Share this post


Link to post
Share on other sites

Budfred, you and your experts are stars. It seems to have worked. I can access folders etc in normal mode and I am not being redirected anymore. Thank you ;D

 

Here is the new log. Cleaning up would also be appreciated as I am :wtf:

 

Logfile of HijackThis v1.97.3

Scan saved at 00:02:07, on 01.06.04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM32\WINTIME.EXE

C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

 

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Popup Eliminator (HKLM)

O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38137.672025463

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab

Share this post


Link to post
Share on other sites

That is great to hear...

 

For cleanup, most of it is gone... This is probably bad and should be fixed by HJT unless you recognize it. If you are not sure, you can find it and check Properties with a Right click on the mouse, then see if it is from a legit company:

 

O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe

 

This one appears to be legit, but just want to be sure... are you familiar with it??

 

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

 

If it is bad, you will also have to remove it with Add/Remove Programs or delete it here:

 

C:\WINDOWS\SYSTEM32\WINTIME.EXE

 

Also, find and delete this if it doesn't seem legit. You may need to have Windows show all hidden files to find it:

 

C:\WINDOWS\SYSTEM\ETDIN.exe

 

That seems to be it, but post back another HJT log after a reboot to be sure... Also, here is my prevention speech so you can protect yourself from future infection:

 

This is a good time to set up protection against further attacks. Read the article linked below about "How did I get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Share this post


Link to post
Share on other sites

Thanks again Butfred.

 

The wintime.exe gives me no info and when I try to delete it it says it comes from windows.

The ETDIN.exe can't be found which I know is wierd but I have hidden files on and a search doesn't even find it.

 

Bad or not if I delete both these files with Highjackthis will/could it harm my comp? I don't car if some Mickey Mouse program I have forgotten about won't work but will it affect windows?

 

Lastly, You are absoloutly right about prevention and I am changing to Opera!

 

Cheers again,

 

Iain

Share this post


Link to post
Share on other sites

Here is a description of WinTime I found on Google:

WinTime

 

This utility, which runs from your system tray, can keep track of how much time has elapsed since you last booted up, active your screen saver, selectively close Explorer windows, quickly launch programs you use most often, create hot keys, and customize tray icons.

It is clearly not from Microsoft, but if you have a program that meets that description, it is probably okay...

 

If you couldn't find this program, it is probably a morpher:

 

O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe

 

That means it takes a new name each time you reboot the system... To find it, you will either have to post a fresh log and I will tell you which one it is, then you would fix it and delete it without rebooting.... OR.... you can find the file that wasn't in the last HJT log and that is in the same folder and fix it with HJT and then delete it... You may have to tracking it down in Running Processes in Task Manager and stop it before you can delete it. You could also try booting to Safe Mode and use HJT to find it, since it is more likely it wouldn't load at boot in Safe Mode.... Nasty little bug these morphers....

 

Whatever way you decide to go, post a fresh HJT log after a reboot so we can make sure we got it all....

Share this post


Link to post
Share on other sites

Thanks again for the help Budfred.

 

I decided to delete both the possibly dodgy files and below is the new log without a reboot.

The ETDIN.exe file was still in the HJS scan even though I was unable to find the file either with a search or manually. It is now gone. I know my hard drive could do with being re formatted but I am still gtrateful for any input on dodgy files.

 

 

Logfile of HijackThis v1.97.3

Scan saved at 20:40:04, on 03.06.04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM32\WINTIME.EXE

C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.telegraph.co.uk/

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Popup Eliminator (HKLM)

O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38137.672025463

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab

Share this post


Link to post
Share on other sites

You don't need to reformat because of this garbage, we may have succeeded in cleaing it up!! However, we need a log AFTER a reboot to make sure the morpher is really gone. It is possible to fix it in HJT, but then have it reappear in the next reboot... So post that and we can check it out....

Share this post


Link to post
Share on other sites

Ok, here's the log after a reboot.

 

Logfile of HijackThis v1.97.3

Scan saved at 23:13:59, on 04.06.04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.telegraph.co.uk/

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Popup Eliminator (HKLM)

O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...38137.672025463

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/7b77298...all/xscan53.cab

 

 

Any ideas? :-)

Share this post


Link to post
Share on other sites

Are you still having a problem??

 

Your log appears to be clean, so if you aren't having a problem, it is time to tighten up security to keep it clean and then celebrate... Here is my speech for prevention:

 

This is a good time to set up protection against further attacks. Read the article linked below about "How did I get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

 

If you are having trouble, post back and we will look at other tools to solve it... post as much detail as possible so I can get an idea of what the problem might be...

Share this post


Link to post
Share on other sites

Comp seems to have returned to normal. Your advice has been taken and various security measures undertaken. Many thanks once again and kep up the work for all an amazing site!! :love:

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0