Jump to content


Photo

Help my home page has benn taken over


  • This topic is locked This topic is locked
11 replies to this topic

#1 landis7181

landis7181

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 May 2004 - 03:26 PM

Everytime I open up IE on my mom's computer it automatically goes to http://jksearch.biz/redir.php. I have changed it numerouse times but it always goes back. Help! I read other post and ran adaware, spybot, cwshredder and houseclean. I have also gone into hijackthis and removed all the entries with http://jksearch.biz/redir.php at the end. I have done this normally and also in safe mode. Nothing is helping!!!

logfile of HijackThis v1.97.7
Scan saved at 3:48:27 PM, on 5/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.173.253/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.173.253/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.173.253/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.173.253/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.173.253/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.173.253/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.173.253/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.173.253/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.173.253/search.php
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [Exs.exe] c:\documents and settings\dennis\local settings\temp\Exs.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [o49h37R] dx3rmap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsvsu.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8121.4448842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 18 May 2004 - 04:33 PM

Hi... welcome...


Close all browsers and programs, except for HiJackThis, scan if not already done,tick the next entries and only hit fix until I say so:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.173.253/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.173.253/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.173.253/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.173.253/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.173.253/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.173.253/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.173.253/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.173.253/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.173.253/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.173.253/search.php

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [Exs.exe] c:\documents and settings\dennis\local settings\temp\Exs.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [o49h37R] dx3rmap.exe

O4 - HKCU\..\Run: [WCPS] C:\WINDOWS\System32\wintsvsu.exe

O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe


Now hit fix...

Reboot and delete the next files:
C:\WINDOWS\System32\winupd.exe
c:\installer\id53.exe
C:\WINDOWS\system32\config\services.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\wintsvsu.exe
C:\WINDOWS\System32\SearchBar.htm


Now, do this:

Turn off system restore:
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
Click Apply.
As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.


Online Virus Scanner:
Go to TREND MICRO’s free online virus scanner
http://housecall.tre.../start_corp.asp
and deal with it there.


Here's an online Trojan scan:
Click yes when you get prompted...
http://www.trojansca.../trojanscan.htm
And do what they ask...

Next, download this tool
You had a Beagle infection... This will make sure nothing is left of it...
When downloaded, disconnect from the internet, be sure all programs are closed... When the tool is done, reboot and run it once more...


To turn on Windows XP System Restore:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.


After all this is done, hit the windows update pages...
You really need those patches or you could get infected in a very short time...
Go here For the english update pages...
Install ALL critical updates... The others are optional, but recommended too... Read the info about them if you don't want to install them all...

After all this is done, Reboot once more and then post a fresh HiJackThis log...


Good Luck...

Edited by Quinstar, 18 May 2004 - 04:34 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#3 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 18 May 2004 - 04:33 PM

Edit: Double post...

Hope you will be back soon...


Greetz...

Edited by Quinstar, 18 May 2004 - 04:33 PM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#4 landis7181

landis7181

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 18 May 2004 - 11:15 PM

Ok so here is what is going on. I ran hijackthis and fixed everything you told me to. I also delete all of the files you told me to except I could not find C\WINDOWS\System32\dp-him.exe. I ran both the virus scanner and the trojan scan and they said I had no problems. The beagle fix tool message stated that a W32 Beagle(A-K, U) @mm was not found. Here is my new log.


Logfile of HijackThis v1.97.7
Scan saved at 11:55:20 PM, on 5/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8121.4448842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Thank you for all of your help so far!

#5 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 04:35 AM

Hi...

Let's get some security on you first...

Do the windows updates... Really...
They will get you better protected...

After that, download CWShredder
Run it...


Next:
SpywareBlaster will block bad ActiveX and malevolent cookies...
http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all...
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates...

Install those too... They will minimize treats with almost 95%


Now:
Please copy the contents of the quote box to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]


Hit save as
Give it the name clear.reg
Under the filename set file types to all files...
Save it to the desktop...

After done double click the clear.reg
When asked to merge say yes...

Reboot


Then find this file:
system32.dll
its probably in one of two locations:
c:\windows\system32\system32.dll
c:\windows\system\system32.dll
and delete it.


Now, after all this, run HiJackThis and fix these lines once more...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://jksearch.biz/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://jksearch.biz/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://jksearch.biz/redir.php


Reboot and post me a fresh log...


Good Luck...

Edited by Quinstar, 19 May 2004 - 07:09 AM.

To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#6 landis7181

landis7181

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 May 2004 - 11:32 AM

I did everything you told me to and here’s the new log. One thing now is that if i have nothing open but then open up task manager it says that all of these IE pages running. I close them but they just keep opening.

Logfile of HijackThis v1.97.7
Scan saved at 12:24:48 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
F1 - win.ini: run=C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\System32\services\all.exe /u
O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll32.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8121.4448842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab


thank you

#7 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 11:37 AM

Could you please stop surfing the net while I'm fixing you up?
Please...
You're getting new infections all the time...
And If you do want to surf, get all the windows updates and install those two little programs...
Really...
I like to help, but not continuously...

I'll work out on your new post to get you cleaned up...


Greetz...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#8 landis7181

landis7181

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 May 2004 - 11:45 AM

i did get the windows updates and both of those programs but i will stop surfing.
thank you

#9 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 12:15 PM

Hi, me again...

Download CWShredderand run it...

Reboot


Now open HiJackThis and tick and fix the next entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

F1 - win.ini: run=C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\System32\services\all.exe /u
O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll32.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM32\services\wmplayer.exe

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab


Reboot again...

Try starting windows media player... I think that's not going to work...
If it doesn't, go here
Download wmplayer, unzip it and run it...

Now, delete the next folder:
C:\WINDOWS\SYSTEM32\services\
And delete this file:
C:\WINDOWS\rundll32.exe

Now post me a fresh log...


Good luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#10 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 12:17 PM

You didn't get the updates...
These two lines are still the same:
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be

#11 landis7181

landis7181

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 19 May 2004 - 01:22 PM

I ran cwshredder and it removed cwsyexe. I rebooted and than ran hijackthis and fixed the specified problems. I then rebooted again. Windows media players ran fine. I downloaded all the crucial updates except service pack 1 and the security update which i am assuming are the most important. It won't let me download the service pack and it said I successfully downloaded the security update but when I go back to see what other updates I need it says I still need it. My home page is back to normal and everything seems to be ok. Here is my new log. Thank you for all your help.

logfile of HijackThis v1.97.7
Scan saved at 1:59:52 PM, on 5/19/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8121.4448842593
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#12 Quinstar

Quinstar

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 249 posts

Posted 19 May 2004 - 01:56 PM

Service pack 1 is the most important of them all... The rest will not install correctly if I remember right...

Your log looks clean...


Try this:

Turn off system restore:
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
Click Apply.
As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.


Online Virus Scanner:
Go to TREND MICRO’s free online virus scanner
http://housecall.tre.../start_corp.asp
and deal with it there.


Here's an online Trojan scan:
Click yes when you get prompted...
http://www.trojansca.../trojanscan.htm
And do what they ask...


To turn on Windows XP System Restore:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.


Now try installing sp1...


Good Luck...
To help us keep this site running, all donations are welcome...
Thank you...
www.masfemi.be




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button