• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
infinite

Help with removing CWS, please!

14 posts in this topic

Hi, I tried to remove the about:blank variant of CWS with all possible tools, but it's still there according to Ad-Aware. CWSshredder doesn't show anything though. I get no homepage resets anymore, just explorer bar resets and some pop-ups. Hijackthis log shows the cws is still there as well. I delete it everytime with ad-aware, but, naturally, it's there again after a reboot. Here is my HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 15:33:23, on 4. 6. 2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Documents and Settings\Name\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.nvidia.com/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [mmsys] C:\recover.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/Live...ice_4_EN_XP.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

 

 

This is killing me.

I'd be really happy if you could help me, thanks.

Share this post


Link to post
Share on other sites

In hijackthis fix :

 

*R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

*O4 - HKLM\..\Run: [mmsys] C:\recover.exe

*O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.236/buka.chm::/x.exe

*O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Program Files\Q330994.exe

*O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab

*O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/Live...ice_4_EN_XP.cab

*O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

*O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - http://akamai.downloadv3.com/binaries/IA/netpe32_EN_XP.cab

 

Restart computer.

Search and delete if exist:

C:\Program Files\Q330994.exe<

 

Do you know what this is?

C:\recover.exe

If not, 'kill' it as well.

(*Don't confuse with other locations as System32,

, Dllcache, Windows\ (Service packs, etc.)

those are legit! )

RightClick and confirm the file's properties, first!

 

Next--

Click on the 'Find-All page' link in my signature.

Download and Install: "FIND-ALL.EXE"

Run the 'Find-All.cmd, file, wait for the log and post it here.

Share this post


Link to post
Share on other sites

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9 -6/05 @@@***==--

 

 

Fri Jun 04 18:31:44 2004 -- ¬¬Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (F01D:A37B) - FS:NTFS clusters:4k

Total: 80 015 491 072 [75G] - Free: 63 923 728 384 [60G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q832894;Q330994;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 9.0.0.2980 shp 73,728 12-11-2002 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 05-25-2004 notepad.exe

5.1.2600.0 C:\WINDOWS\System32\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 05-25-2004 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe

 

 

»»PC uptime:

6:31pm up 0 days, 0:15

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

4 System

608 smss.exe

656 csrss.exe Title:

680 winlogon.exe Title: NetDDE Agent

724 services.exe Svcs: Eventlog,PlugPlay

736 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

928 svchost.exe Svcs: RpcSs

1028 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa

ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,RasMan,Sched

le,seclogon,SENS,ShellHWDetection,srservice,TapiSrv,TermService,Themes,TrkWks,up

oadmgr,W32Ti

1056 StyleXPService.eOleMainThreadWndNameSvcs: StyleXPService

1172 svchost.exe Svcs: Dnscache

1204 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

1404 spoolsv.exe Svcs: Spooler

1700 explorer.exe Title: Program Manager

1852 CTHELPER.EXE Title: CtHelper

1860 realsched.exe Title: Notification Wnd for RNAdmin

1880 ctfmon.exe Title:

228 mdm.exe Svcs: MDM

264 nvsvc32.exe Svcs: NVSvc

536 iexplore.exe Title: SWI Forums -> Help with removing CWS, please! - Microsoft Internet Explorer

1244 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

1024 ntvdm.exe

1124 rundll32.exe Title:

1184 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"Appinit_Dlls"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : Appinit_Dlls

 

»»Group/user settings:

 

 

User: [NAME-IETMS0KJ26\Name], is a member of:

 

BUILTIN\Administrators

\Everyone

 

User is a member of group NAME-IETMS0KJ26\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx BUILTIN\Administrators:(OI)(CI)F

NT AUTHORITY\SYSTEM:(OI)(CI)F

NAME-IETMS0KJ26\Name:F

CREATOR OWNER:(OI)(CI)(IO)F

BUILTIN\Users:(OI)(CI)R

BUILTIN\Users:(CI)(special access:)

 

FILE_APPEND_DATA

 

BUILTIN\Users:(CI)(special access:)

 

FILE_WRITE_DATA

 

 

ERROR: There are no more files.

 

 

»»File(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

 

»»hosts file Size: (Default/plain: ~732-4 bytes)

--a-- - - - - - 135 05-25-2004 oldhosts.txt

------

»»Rehash:

 

Fri Jun 04 18:31:51 2004 -- ¬¬Find-All backups:

c:\find-all\find-all\winBackup.hiv

--a-- - - - - - 8,192 06-04-2004 winbackup.hiv

c:\find-all\find-all\windows.txt

--a-- - - - - - 8,192 06-04-2004 windows.txt

--a-- - - - - - 8,192 06-04-2004 findallwinbackup.hiv

--a-- - - - - - 632 06-04-2004 findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

 

 

 

Thanks. Couldn't find C:\recover.exe

Share this post


Link to post
Share on other sites

Your log appear to be clean....

 

Hmmm.. try this:

In the Find-All\ Subfolder, you should find a file "windows.txt".

It has some strange characters, copy and post

it's entire contents here!

 

In addition, restart your computer in safe mode, find and delete:

C:\WINDOWS\System32\bbacca.dll file!

 

Run hijackthis in safe mode and fix checked

All the 'R1 - ' lines.

 

Reboot, reset your home page and post another hijackthis log!

Share this post


Link to post
Share on other sites

regf Pugf hbin  ˙˙˙nk, PȱÔčHÄ ˙˙˙˙ ˙˙˙˙˙˙˙˙ € ˙˙˙˙ 0 @ $ Windowsows Čţ˙˙sk € € ” ě

!

€ ! #

€ # ?

?

?

Đ˙˙˙vk č ŔUDeviceNotSelectedTimeoutđ˙˙˙1 5 Ř(ÍW ¸ Đ˙˙˙vk €' zGDIProcessHandleQuota"ţđ˙˙˙9 0 ! ŕ˙˙˙vk ` °şSpooler2đ˙˙˙y e s Ŕ ŕ˙˙˙vk € =pswapdisk ¸ @ p ¨ Đ˙˙˙vk 0 RżTransmissionRetryTimeoutĐ˙˙˙vk €' USERProcessHandleQuota ŕ˙˙˙¸ @ p ¨ Ř ( Ř˙˙˙vk € x Appinit_Dllsout˙°

Share this post


Link to post
Share on other sites

Wow! There is NO bbacca.dll in my computer! And I also couldn't fix those R1 reg lines. I tried to manually delete them in regedit, with no effect of course... It said the values can't be deleted. I'm so tired of this.

Share this post


Link to post
Share on other sites

First, you didn't post the "entire" contents of the

'windows.txt' file!

Try again, using 'edit>select all> copy and post.

 

Can you post another hijackthis log?

Share this post


Link to post
Share on other sites

regf Pugf hbin  ˙˙˙nk, PȱÔčHÄ ˙˙˙˙ ˙˙˙˙˙˙˙˙ € ˙˙˙˙ 0 @ $ Windowsows Čţ˙˙sk € € ” ě

!

€ ! #

€ # ?

?

?

Đ˙˙˙vk č ŔUDeviceNotSelectedTimeoutđ˙˙˙1 5 Ř(ÍW ¸ Đ˙˙˙vk €' zGDIProcessHandleQuota"ţđ˙˙˙9 0 ! ŕ˙˙˙vk ` °şSpooler2đ˙˙˙y e s Ŕ ŕ˙˙˙vk € =pswapdisk ¸ @ p ¨ Đ˙˙˙vk 0 RżTransmissionRetryTimeoutĐ˙˙˙vk €' USERProcessHandleQuota ŕ˙˙˙¸ @ p ¨ Ř ( Ř˙˙˙vk € x Appinit_Dllsout˙°

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 20:38:20, on 4. 6. 2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Name\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\bbacca.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Ok...

Do you have tools there that monitor changes to the browser pages?

Like...

O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT

 

Disable it from guarding or starting.

 

Next, try fixing R1 again in hijackthis.

 

If that won't work, Open regedit:

to-

HKEY_CURRENT_USER\Software\

Microsoft\Internet Explorer\Main

 

Locate on the right side, "Search Bar",

"SearchPage", "HomeOldSP" right click on them , delete!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0