• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Slav

Please don't let the bastards grind me down...HELP

23 posts in this topic

Symptoms: my start page changes, typing is slow as well as scrolling the pages, internet is slow, paste/copy function is slow, downloading pages takes forever, pop-ups... Ironicaly (or is it?), most of the pop-ups are the spyware removal commercials :-)

Adware 6.0 has been ran several times but the same problems occure.

Help will be realy appreciated.

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 05:17:34, on 2004-06-02

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Ahead\InCD\InCDsrv.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program\NORTON~1\navapw32.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program\Winamp\Winampa.exe

C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

C:\Program\Ahead\InCD\InCD.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program\ICQLite\ICQLite.exe

C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Microsoft Office\Office\OSA.EXE

C:\Program\NORTON~1\navw32.exe

C:\Program\Lavasoft\AD-AWA~1\Ad-aware.exe

C:\Program\Internet Explorer\iexplore.exe

C:\WINDOWS\REGEDIT.exe

C:\Documents and Settings\BLOBB\Lokala inställningar\Temp\Temporär katalog 2 för hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot

O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe

O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7880.3338310185

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O19 - User stylesheet: C:\WINDOWS\win32.bmp

Edited by Slav

Share this post


Link to post
Share on other sites

Lets start with CoolWebSearch. Remove it by downloading CWShredder at www.spywareinfo.com/~merijn/files/CWShredder.exe. Save it to ur desktop. Double click it and hit fix. Let it run and hit Exit. Then restart your computer and post a new log :)

Share this post


Link to post
Share on other sites

I have done that and the mesage was not infected/not present.

I may be should say that start page has changed into C:\spad now. I still do have my Internet options functioning at Tools though. (but that doesn't help to change the page of course)

 

new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 06:19:32, on 2004-06-02

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Ahead\InCD\InCDsrv.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program\NORTON~1\navapw32.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program\Winamp\Winampa.exe

C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

C:\Program\Ahead\InCD\InCD.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program\ICQLite\ICQLite.exe

C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Microsoft Office\Office\OSA.EXE

C:\Program\Internet Explorer\iexplore.exe

C:\Documents and Settings\BLOBB\Lokala inställningar\Temp\Temporär katalog 3 för hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot

O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe

O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7880.3338310185

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O19 - User stylesheet: C:\WINDOWS\win32.bmp

Edited by Slav

Share this post


Link to post
Share on other sites

One thing at a time ...

 

Copy the contents of the quote box to notepad.

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]

[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]

[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]

Select "File" => "Save As" and give it the name clear.reg. Under the filename change save as type to all files and save it to the desktop. Close notepad. Double click the clear.reg file and when asked to merge say yes. Reboot.

Delete the following:

  • C:\documents and settings\(username)\LOCAL Settings\Temp <= Delete all the contents but not the folder itself.
  • C:\WINDOWS\System32\c_10230.dll
  • c:\spad <= Delete this folder

Then load up hijackthis and fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.com/search.php?said=spage

 

Please post a new hijackthis log when done.

Share this post


Link to post
Share on other sites

I forgot to add first step ...

Please create a new directory C:\HJT and move the HijackThis.exe file into that directory and only run it from there. That way we can ensure that we have the backup files aavilable in the event that they are needed.

Share this post


Link to post
Share on other sites

My computer can't find NotePad.exe! What do I do then? Would WordPad do? Does it matter? Sorry, don't know much about all those things....

Edited by Slav

Share this post


Link to post
Share on other sites

ok check c:\windows for notepad.exe

 

it should be there about 65kb.

check c:windows\system32 for notepad

you should find it missing.

 

Copy the one from windows over to system32 so its in both.

Share this post


Link to post
Share on other sites

Please surf to http://www.billsway.com/vbspage/ and scroll down to Registry Search Tool. Download, unzip and run RegSrch.vbs

 

Copy and paste this in the dialog box: changes_homepage.dll

 

After a while a prompt will come up. Click OK to write the results to wordpad and post them.

Share this post


Link to post
Share on other sites

ok, fixed with notepad, sorry, just me being stupid probably...

Here comes the 8th option (my ieextensions) that shadowwar asked me for before:

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2222A5CF-2611-40C6-9CC3-AF0BE9001E91}]

"clsid"="{2222A5CF-2611-40C6-9CC3-AF0BE9001E91}"

"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"

"ButtonText"="Microsoft® JavaScript® Console"

"Default Visible"="No"

"HotIcon"="@shdoclc.dll,36"

"MenuStatusBar"="@shdoclc.dll,-865"

"MenuText"="JavaScript Console"

"ToolTip"="Opens JavaScript Console"

"ImageFilename"="shdocvw.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]

"clsid"="{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]

"clsid"="{869EE607-5376-486d-8DAC-EDC8E239AD5F}"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}]

@=""

"ButtonText"="ICQ 4.0"

"MenuText"="ICQ Lite"

"Default Visible"="YES"

"Exec"="C:\\Program\\ICQLite\\ICQLite.exe"

"Icon"="C:\\Program\\ICQLite\\ICQLite.exe,1040"

"HotIcon"="C:\\Program\\ICQLite\\ICQLite.exe,1040"

"clsid"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

Share this post


Link to post
Share on other sites

The RegSrch wouldn't run. I get a message from Windows Script Host:

line: 8

letter: 12

error: amount is not supported (or the object has been deleted)

Code: 80040111,

or something like that (since I don't get the message in english I had to translate it) :-)

What do I do next?

Should I follow PGPhantom's advice and do what he wrote above?

Share this post


Link to post
Share on other sites

:love: It seems to be working right now!, and I'm overly happy.

In such case thank you all guys so much for your help and patience, you are doing a great job and it's really appreciated (although I do hope I wouldn't have to come back here :D )

 

Heres the new log, is there anything else there that should be cleaned up?

 

Logfile of HijackThis v1.97.7

Scan saved at 23:21:10, on 2004-06-02

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Ahead\InCD\InCDsrv.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program\NORTON~1\navapw32.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\Program\Winamp\Winampa.exe

C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

C:\Program\Ahead\InCD\InCD.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Microsoft Office\Office\OSA.EXE

C:\Program\Internet Explorer\iexplore.exe

C:\Documents and Settings\BLOBB\Lokala inställningar\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe

O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7880.3338310185

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O19 - User stylesheet: C:\WINDOWS\win32.bmp

 

Thank you.

Share this post


Link to post
Share on other sites

Yeah you have a bunch more stuff. Please stay away from questionable sites till we get you all cleaned up and get some protections in place.

 

 

Please close all windows and internet explorers. Check mark the following items only in Hijackthis.

F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe

O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe

O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O19 - User stylesheet: C:\WINDOWS\win32.bmp

 

 

 

Click the fix button. Close hijackthis.

 

Reboot and show hidden files and folders per the link in my signature.

Please delete the following files or folders.

 

Files:

C:\WINDOWS\win32.bmp

c:\windows\win.exe

C:\WINDOWS\System32\services\wmplayer.exe

C:\Program\Windows Media Player\wmplayer.exe

Folders:

 

 

 

You are going to have to reinstall media player 9 as its infected.

 

Run a new log and post it here

Share this post


Link to post
Share on other sites

Just a comment - You did not move HijackThis into a new directory c:\HJT. It is always suggested just in case we need to restore any deleted entries.

Share this post


Link to post
Share on other sites

I can't delete C:\Program\Windows Media Player\wmplayer.exe it keeps coming back in 5-6 seconds. The folder contains some "migrate" program with 764 kb, should it be there?

My start page changes now into some martfinder or something and then to blank

Also some palazzo situation + this X shortcut on the desktop that someone else has mentioned.

Share this post


Link to post
Share on other sites

By the way what am i beeing warned for? (Warn: (0%) ) Just curious...

New log: Logfile of HijackThis v1.97.7

Scan saved at 08:59:04, on 2004-06-03

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Ahead\InCD\InCDsrv.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program\NORTON~1\navapw32.exe

C:\Program\Winamp\Winampa.exe

C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

C:\Program\Ahead\InCD\InCD.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Microsoft Office\Office\OSA.EXE

C:\Program\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot

O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7880.3338310185

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Share this post


Link to post
Share on other sites

By the way. Only you can see the warn indicator unless you are actually warned for posting an offensive post. 0 means you are not warned.

 

Ok right click the wmplayer.exe and make sure its properties are by microsoft. Windows file protections may be putting it back.

 

Please close all Internet explorer's first.

 

Check and fix these entries:

 

 

 

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

 

After checked and fixed Reboot.

 

 

Than go into tools.internet options.

go to the temporary internet files section and click the delete files button.

 

Post a new log when done.

 

 

Also go to add or remove programs and uninstall p2p networking. Its unneeded.

Share this post


Link to post
Share on other sites

Everything seems to be working just fine right now.

The pallazzo cazino and the purple X icon didn't show up during the last 24 hours

 

Once again many thanks to all who helped and especialy to you Shadowwar.

 

Here is the last log:

 

Logfile of HijackThis v1.97.7

Scan saved at 22:46:19, on 2004-06-03

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Ahead\InCD\InCDsrv.exe

C:\Program\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program\NORTON~1\navapw32.exe

C:\Program\Winamp\Winampa.exe

C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

C:\Program\Ahead\InCD\InCD.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program\QuickTime\qttask.exe

C:\Program\ICQLite\ICQLite.exe

C:\Program\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program\Microsoft Office\Office\OSA.EXE

C:\Program\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE

O4 - HKLM\..\Run: [inCD] C:\Program\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7880.3338310185

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0