• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rjohnson107

Do I have a new variant of CWS?

10 posts in this topic

I am just about ready to blow me dang PC up. I tried CWS shredder and Hijack this (the latest version) but the damn url's keep popping back up..even tried to manually delete them. ANy suggestions?

Much love for any help to you all.

Here's the log file.

 

:alarm: Logfile of HijackThis v1.97.7

Scan saved at 5:11:37 PM, on 6/2/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MSGLOOP.EXE

C:\WINDOWS\SYSTEM\MSG32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

Share this post


Link to post
Share on other sites

Hey, I have the same problem too, my homepage keeps getting redirected to 213.159.117.132/Index.php, and i tried all the spyware removers out there today and they didn't solve the problem and i don't know how to remove it so Im waiting for help too. Make sure you never go to that site because they will put porn dialers and they also tried to steal my internet settings!

Share this post


Link to post
Share on other sites

Bump

Here's the latest startup list as well.

 

StartupList report, 6/3/2004, 3:42:31 PM

StartupList version: 1.52

Started from : C:\WINDOWS\DESKTOP\SPYWARE STUFF\STARTUPLIST.EXE

Detected: Windows ME (Win9x 4.90.3000)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MSGLOOP.EXE

C:\WINDOWS\SYSTEM\MSG32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\WINDOWS\SYSTEM\HPSYSDRV.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\RunDLL.exe

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\DESKTOP\SPYWARE STUFF\STARTUPLIST.EXE

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\WINDOWS\Start Menu\Programs\StartUp]

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

ScanRegistry = c:\windows\scanregw.exe /autorun

TaskMonitor = c:\windows\taskmon.exe

SystemTray = SysTray.Exe

Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe

HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe

hpsysdrv = c:\windows\system\hpsysdrv.exe

Adaptec DirectCD = C:\Program Files\DirectCD\DIRECTCD.EXE

PCHealth = c:\windows\PCHealth\Support\PCHSchd.exe -s

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

Vshwin32EXE = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

VsStatEXE = C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING

VsecomrEXE = C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

SchedulingAgent = mstask.exe

Vshwin32EXE = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE

*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

ares = "C:\PROGRAM FILES\ARES\ARES.EXE" -h

Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=Explorer.exe

SCRNSAVE.EXE=

drivers=mmsystem.dll power.drv

 

--------------------------------------------------

 

C:\WINDOWS\WININIT.BAK listing:

(Created 18/5/2004, 12:43:28)

 

[Rename]

NUL=c:\windows\cookies\s j@servedby.advertising[2].txt

NUL=c:\windows\cookies\s j@zedo[1].txt

NUL=c:\windows\cookies\s j@advertising[1].txt

NUL=c:\windows\cookies\s j@mediaplex[1].txt

NUL=c:\windows\cookies\s j@z1.adserver[1].txt

NUL=c:\windows\cookies\s j@atdmt[2].txt

NUL=c:\windows\cookies\s j@doubleclick[1].txt

 

--------------------------------------------------

 

C:\AUTOEXEC.BAT listing:

 

SET windir=C:\WINDOWS

SET winbootdir=C:\WINDOWS

SET COMSPEC=C:\WINDOWS\COMMAND.COM

SET PROMPT=$p$g

SET TEMP=C:\windows\TEMP

SET TMP=c:\windows\TEMP

SET PATH=c:\windows;c:\windows\COMMAND

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL - {02478D38-C3F9-4efb-9B51-7695ECA05670}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

Tune-up Application Start.job

PCHealth Scheduler for Data Collection.job

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

System: C:\WINDOWS\system32\system32.dll

OLE Automation Module: C:\WINDOWS\SYSTEM\child.dll

 

--------------------------------------------------

End of report, 5,921 bytes

Report generated in 0.328 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Copy the contents of the quote box to notepad.

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"System"=-

[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]

[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]

[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

 

 

 

 

 

Click File>Save As, give it the name clear.reg and under the filename set file types to All Files. Save it to the desktop. When done double click the clear.reg when asked to merge say yes.

 

Reboot. Delete these files if there:

 

C:\WINDOWS\system32\system32.dll

 

than fix the infected r1 r0's with hijackthis.

Share this post


Link to post
Share on other sites

THANK YOU THANK YOU THANK YOU!!!

That did the trick.

Some of my desktop icons are washed out/screwed up, but i think it's cause I deleted another file as well. But I can live w/ it.

Thanks again!!

:D

Gig'Em

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0