Jump to content


Photo

Help with removing CWS, please!


  • Please log in to reply
13 replies to this topic

#1 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 08:33 AM

Hi, I tried to remove the about:blank variant of CWS with all possible tools, but it's still there according to Ad-Aware. CWSshredder doesn't show anything though. I get no homepage resets anymore, just explorer bar resets and some pop-ups. Hijackthis log shows the cws is still there as well. I delete it everytime with ad-aware, but, naturally, it's there again after a reboot. Here is my HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 15:33:23, on 4. 6. 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.nvidia.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmsys] C:\recover.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.1...Recomendada.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ice_4_EN_XP.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab


This is killing me.
I'd be really happy if you could help me, thanks.

#2 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 09:57 AM

bump

#3 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 10:33 AM

please help if you can

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 10:55 AM

In hijackthis fix :

*R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
*O4 - HKLM\..\Run: [mmsys] C:\recover.exe
*O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.2...uka.chm::/x.exe
*O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe
*O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.1...Recomendada.cab
*O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downlo...ice_4_EN_XP.cab
*O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
*O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downlo...tpe32_EN_XP.cab

Restart computer.
Search and delete if exist:
C:\Program Files\Q330994.exe<

Do you know what this is?
C:\recover.exe
If not, 'kill' it as well.
(*Don't confuse with other locations as System32,
, Dllcache, Windows\ (Service packs, etc.)
those are legit! )
RightClick and confirm the file's properties, first!

Next--
Click on the 'Find-All page' link in my signature.
Download and Install: "FIND-ALL.EXE"
Run the 'Find-All.cmd, file, wait for the log and post it here.
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 11:32 AM

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--


Fri Jun 04 18:31:44 2004 -- ¬¬Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (F01D:A37B) - FS:NTFS clusters:4k
Total: 80 015 491 072 [75G] - Free: 63 923 728 384 [60G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;

»»Google:

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 05-25-2004 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 05-25-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
6:31pm up 0 days, 0:15

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
4 System
608 smss.exe
656 csrss.exe Title:
680 winlogon.exe Title: NetDDE Agent
724 services.exe Svcs: Eventlog,PlugPlay
736 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
928 svchost.exe Svcs: RpcSs
1028 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sched
le,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,up
oadmgr,W32Ti
1056 StyleXPService.eOleMainThreadWndNameSvcs: StyleXPService
1172 svchost.exe Svcs: Dnscache
1204 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1404 spoolsv.exe Svcs: Spooler
1700 explorer.exe Title: Program Manager
1852 CTHELPER.EXE Title: CtHelper
1860 realsched.exe Title: Notification Wnd for RNAdmin
1880 ctfmon.exe Title:
228 mdm.exe Svcs: MDM
264 nvsvc32.exe Svcs: NVSvc
536 iexplore.exe Title: SWI Forums -> Help with removing CWS, please! - Microsoft Internet Explorer
1244 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1024 ntvdm.exe
1124 rundll32.exe Title:
1184 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : Appinit_Dlls

»»Group/user settings:


User: [NAME-IETMS0KJ26\Name], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group NAME-IETMS0KJ26\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
NAME-IETMS0KJ26\Name:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file Size: (Default/plain: ~732-4 bytes)
--a-- - - - - - 135 05-25-2004 oldhosts.txt
------
»»Rehash:

Fri Jun 04 18:31:51 2004 -- ¬¬Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-04-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-04-2004 windows.txt
--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv
--a-- - - - - - 632 06-04-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows





Thanks. Couldn't find C:\recover.exe

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 12:14 PM

Your log appear to be clean....

Hmmm.. try this:
In the Find-All\ Subfolder, you should find a file "windows.txt".
It has some strange characters, copy and post
it's entire contents here!

In addition, restart your computer in safe mode, find and delete:
C:\WINDOWS\System32\bbacca.dll file!

Run hijackthis in safe mode and fix checked
All the 'R1 - ' lines.

Reboot, reset your home page and post another hijackthis log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 12:29 PM

regf       Pugf hbin   ˙˙˙nk, PȱÔčHÄ ˙˙˙˙ ˙˙˙˙˙˙˙˙  € ˙˙˙˙ 0 @ $  Windowsows Čţ˙˙sk € €    ”     ě
     !
 €  !      #
 €  #  ?    
     ?   
    ?    
        Đ˙˙˙vk  č   ŔUDeviceNotSelectedTimeoutđ˙˙˙1 5  Ř(ÍW ¸ Đ˙˙˙vk  €'   zGDIProcessHandleQuota"ţđ˙˙˙9 0  ! ŕ˙˙˙vk  `   °şSpooler2đ˙˙˙y e s Ŕ ŕ˙˙˙vk  €   =pswapdisk ¸  @ p ¨ Đ˙˙˙vk  0   RżTransmissionRetryTimeoutĐ˙˙˙vk  €'   USERProcessHandleQuota ŕ˙˙˙¸  @ p ¨ Ř ( Ř˙˙˙vk  €   x Appinit_Dllsout˙°

#8 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 12:51 PM

Wow! There is NO bbacca.dll in my computer! And I also couldn't fix those R1 reg lines. I tried to manually delete them in regedit, with no effect of course... It said the values can't be deleted. I'm so tired of this.

#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 01:21 PM

First, you didn't post the "entire" contents of the
'windows.txt' file!
Try again, using 'edit>select all> copy and post.

Can you post another hijackthis log?
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 01:37 PM

regf       Pugf hbin   ˙˙˙nk, PȱÔčHÄ ˙˙˙˙ ˙˙˙˙˙˙˙˙  € ˙˙˙˙ 0 @ $  Windowsows Čţ˙˙sk € €    ”     ě
     !
 €  !      #
 €  #  ?    
     ?   
    ?    
        Đ˙˙˙vk  č   ŔUDeviceNotSelectedTimeoutđ˙˙˙1 5  Ř(ÍW ¸ Đ˙˙˙vk  €'   zGDIProcessHandleQuota"ţđ˙˙˙9 0  ! ŕ˙˙˙vk  `   °şSpooler2đ˙˙˙y e s Ŕ ŕ˙˙˙vk  €   =pswapdisk ¸  @ p ¨ Đ˙˙˙vk  0   RżTransmissionRetryTimeoutĐ˙˙˙vk  €'   USERProcessHandleQuota ŕ˙˙˙¸  @ p ¨ Ř ( Ř˙˙˙vk  €   x Appinit_Dllsout˙°

#11 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 01:38 PM

Logfile of HijackThis v1.97.7
Scan saved at 20:38:20, on 4. 6. 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Name\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#12 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 June 2004 - 01:38 PM

that is the whole thing. really!

#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 04 June 2004 - 01:58 PM

Ok...
Do you have tools there that monitor changes to the browser pages?
Like...

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT


Disable it from guarding or starting.

Next, try fixing R1 again in hijackthis.

If that won't work, Open regedit:
to-
HKEY_CURRENT_USER\Software\
Microsoft\Internet Explorer\Main

Locate on the right side, "Search Bar",
"SearchPage", "HomeOldSP" right click on them , delete!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 infinite

infinite

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 05 June 2004 - 06:46 AM

Thanks! I had to delete those R1s in regedit, but it seems I'm clean now
Thanks again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button